View Full Version : Virtumonde.dll assistance needed
kacper1194
2008-05-17, 18:25
Hello
I have detected Virtumonde.dll in my System32 folder with Spybot Search & Destroy but the problem is I cannot delete it, what happens is I do a full scan with Spybot S&D in my computer it detects Virtumonde.dll in my System32 folder I have tried to delete it several times but it keeps coming back every time I restart, I was not able to do the Kaspersky online scan because my firefox browser stopped working and my IE every time I open it keeps on spamming popups about fake anti-spyware programs
That is my HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:50:53, on 2008-05-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [94beb50c] rundll32.exe "C:\WINDOWS\system32\tgyetsrm.dll",b
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BM978d8690] Rundll32.exe "C:\WINDOWS\system32\bxefmlrl.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [Gadu-Gadu] "K:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 6788 bytes
pskelley
2008-05-18, 00:44
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.
Thanks for the feedback, we will run the Kaspersky scan later. If you still need help, proceed like this.
1) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT.exe, call it kacper1194.exe that will work. The hackers hide their junk from HJT and we may see the infection after a reboot.
2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
3) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
kacper1194
2008-05-18, 04:03
Here's the new HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:46:34, on 2008-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\Trend Micro\HijackThis\kacper1194.exe
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {14370F76-7676-44A2-AD11-93A31C5FC9FC} - C:\WINDOWS\system32\pmnkJcdb.dll
O2 - BHO: (no name) - {145AD62D-3300-4EDF-981B-F6F8293ACE83} - C:\WINDOWS\system32\mlJYSMGy.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E25B605-6CD3-45C4-9E2D-DB4805607A8D} - C:\WINDOWS\system32\cbXNEwtU.dll (file missing)
O2 - BHO: (no name) - {6E35D35C-CD96-4464-9F96-081F1B3E8938} - C:\WINDOWS\system32\mlJYolMf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A236A701-CF9F-48C0-A905-1E23AD5CCE16} - C:\WINDOWS\system32\geBrpoNe.dll (file missing)
O2 - BHO: (no name) - {A94C61D5-D267-4CE3-A9F1-755F11AD1B38} - C:\WINDOWS\system32\iifgdAtt.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [94beb50c] rundll32.exe "C:\WINDOWS\system32\goibrqsg.dll",b
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\pmqggbdh.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [Gadu-Gadu] "K:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: pmnkJcdb - C:\WINDOWS\SYSTEM32\pmnkJcdb.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 7803 bytes
And that's the ComboFix log
ComboFix 08-05-15.3 - Kacper 2008-05-18 2:50:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2800 [GMT 1:00]
Running from: C:\Documents and Settings\Kacper\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\eNoprBeg.ini
C:\WINDOWS\system32\eNoprBeg.ini2
C:\WINDOWS\system32\FiOrAJlm.ini
C:\WINDOWS\system32\FiOrAJlm.ini2
C:\WINDOWS\system32\fMloYJlm.ini
C:\WINDOWS\system32\fMloYJlm.ini2
C:\WINDOWS\system32\glwsmyqx.ini
C:\WINDOWS\system32\gsqrbiog.ini
C:\WINDOWS\system32\mrsteygt.ini
C:\WINDOWS\system32\qtsynoyg.ini
C:\WINDOWS\system32\rqhfowfy.ini
C:\WINDOWS\system32\ttAdgfii.ini
C:\WINDOWS\system32\ttAdgfii.ini2
C:\WINDOWS\system32\UtwENXbc.ini
C:\WINDOWS\system32\UtwENXbc.ini2
C:\WINDOWS\system32\xgfmapyv.ini
C:\WINDOWS\system32\yGMSYJlm.ini
C:\WINDOWS\system32\yGMSYJlm.ini2
.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.
2008-05-18 02:50 . 2008-05-18 02:50 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-18 00:21 . 2008-05-18 01:55 354,816 --a----t- C:\WINDOWS\DSCoreItem.dsf
2008-05-18 00:21 . 2008-05-18 00:21 0 --a------ C:\WINDOWS\WoWEmuHackSettings.ini
2008-05-17 22:00 . 2008-05-17 22:00 116,224 --a------ C:\WINDOWS\system32\goibrqsg.dll
2008-05-17 21:54 . 2008-05-17 21:54 134,144 --a------ C:\WINDOWS\system32\oahnaosq.dll
2008-05-17 21:51 . 2008-05-17 21:51 125,952 --a------ C:\WINDOWS\system32\pmqggbdh.dll
2008-05-17 21:48 . 2008-05-17 21:48 371,712 --a------ C:\WINDOWS\system32\mlJYolMf.dll
2008-05-17 16:50 . 2008-05-17 16:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 16:45 . 2008-05-17 16:45 116,224 --a------ C:\WINDOWS\system32\gyonystq.dll
2008-05-17 16:44 . 2008-05-17 16:44 134,144 --a------ C:\WINDOWS\system32\gqeauarl.dll
2008-05-17 16:41 . 2008-05-17 16:41 125,952 --a------ C:\WINDOWS\system32\bxefmlrl.dll
2008-05-17 15:01 . 2008-05-17 15:01 116,224 --a------ C:\WINDOWS\system32\vypamfgx.dll
2008-05-17 14:55 . 2008-05-17 14:55 134,144 --a------ C:\WINDOWS\system32\rsrjxyto.dll
2008-05-17 14:52 . 2008-05-17 14:52 125,952 --a------ C:\WINDOWS\system32\wamxxtbs.dll
2008-05-15 23:10 . 2008-05-15 23:10 <DIR> d-------- C:\Program Files\Unlocker
2008-05-15 23:00 . 2008-05-15 23:01 <DIR> d-------- C:\!KillBox
2008-05-15 21:29 . 2008-05-15 21:29 133,120 --a------ C:\WINDOWS\system32\duxegnsb.dll
2008-05-15 21:23 . 2008-05-15 21:23 116,736 --a------ C:\WINDOWS\system32\yfwofhqr.dll
2008-05-15 21:17 . 2008-05-15 21:17 125,952 --a------ C:\WINDOWS\system32\malgifxk.dll
2008-05-15 15:53 . 2008-05-15 15:53 116,736 --a------ C:\WINDOWS\system32\xqymswlg.dll
2008-05-15 15:44 . 2008-05-15 15:44 133,120 --a------ C:\WINDOWS\system32\bhspethk.dll
2008-05-15 15:41 . 2008-05-15 15:41 125,952 --a------ C:\WINDOWS\system32\ghyiauwc.dll
2008-05-13 20:41 . 2008-05-17 17:16 963 --a------ C:\WINDOWS\wininit.ini
2008-05-13 20:23 . 2008-05-13 20:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 20:23 . 2008-05-14 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 18:18 . 2008-05-13 18:18 335 --a------ C:\WINDOWS\mozregistry.dat
2008-05-13 17:30 . 2008-05-13 17:30 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-13 17:27 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-13 16:26 . 2008-05-18 02:56 109,807 --a------ C:\WINDOWS\BM978d8690.xml
2008-05-12 20:12 . 2007-02-09 18:34 420,816 --a------ C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
2008-05-12 20:11 . 2008-03-15 17:57 199,445 --a------ C:\Documents and Settings\Kacper\Application Data\toolbar.dll
2008-05-12 20:11 . 2008-05-12 11:56 92,672 --------- C:\Documents and Settings\Kacper\Application Data\dr.exe
2008-05-12 20:11 . 2008-03-15 15:24 82,937 --a------ C:\Documents and Settings\Kacper\Application Data\space1.exe
2008-05-12 20:11 . 2008-05-12 20:11 57,344 --a------ C:\WINDOWS\system32\pmnkJcdb.dll
2008-05-12 17:44 . 2008-05-12 17:44 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\Gadu-Gadu
2008-05-12 07:46 . 2008-05-12 07:46 <DIR> d-------- C:\Logs
2008-05-10 23:21 . 2008-05-10 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-10 01:35 . 2008-05-11 21:02 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-05-09 17:50 . 2006-02-04 03:50 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-05-09 17:50 . 2006-02-04 03:50 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-05-08 20:17 . 2008-05-09 07:38 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\GetRightToGo
2008-05-08 17:33 . 2008-05-08 17:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-05-07 21:28 . 2003-04-04 15:03 57,344 --a------ C:\WINDOWS\system32\_packet.dlluninstall
2008-05-06 19:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-06 19:59 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-06 19:59 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-03 21:27 . 2008-05-03 21:30 <DIR> d-------- C:\Documents and Settings\Kacper\Gadu-Gadu
2008-05-02 22:21 . 2008-05-02 22:21 <DIR> d-------- C:\WINDOWS\Sun
2008-05-02 22:21 . 2008-05-02 22:21 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-05-02 22:20 . 2008-05-02 22:20 <DIR> d-------- C:\Program Files\Java
2008-05-02 22:20 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-02 22:19 . 2008-05-02 22:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-30 16:14 . 2008-04-30 16:14 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-30 01:58 . 2008-04-30 01:58 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-28 15:16 . 2008-04-28 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-27 17:41 . 2008-04-27 17:41 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-27 17:39 . 2008-04-27 17:40 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-27 16:04 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-27 16:03 . 2008-04-27 16:03 <DIR> d-------- C:\Program Files\MSBuild
2008-04-27 16:03 . 2008-04-27 16:03 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-27 16:01 . 2008-04-27 16:01 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-27 15:59 . 2008-04-27 15:59 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-27 15:58 . 2008-04-27 16:02 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-27 15:58 . 2008-05-07 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-27 15:57 . 2008-04-27 15:57 <DIR> dr-h----- C:\MSOCache
2008-04-27 15:37 . 2008-04-27 15:37 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-23 20:22 . 2008-04-23 20:22 <DIR> dr-h----- C:\Documents and Settings\Kacper\Application Data\SecuROM
2008-04-23 19:47 . 2008-05-09 17:44 <DIR> d---s---- C:\Program Files\Xfire
2008-04-23 19:47 . 2008-05-08 17:34 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\Xfire
2008-04-22 10:31 . 2008-04-22 10:31 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\HP
2008-04-22 10:23 . 2008-04-22 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-22 10:23 . 2008-04-22 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-22 10:23 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2008-04-22 10:22 . 2008-04-22 10:22 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\HPAppData
2008-04-22 10:22 . 2008-04-22 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-22 10:21 . 2008-04-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-22 10:21 . 2008-04-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-22 10:20 . 2008-04-22 10:46 <DIR> d-------- C:\Program Files\HP
2008-04-22 10:20 . 2008-04-22 10:20 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-22 10:20 . 2007-03-31 06:11 267,864 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-04-22 10:19 . 2008-04-22 10:24 137,508 --a------ C:\WINDOWS\HPHins15.dat
2008-04-22 10:19 . 2007-08-28 22:16 2,828 --------- C:\WINDOWS\hphmdl15.dat
2008-04-22 09:38 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-22 09:38 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-18 21:37 . 2008-04-18 21:37 5,632 --a------ C:\WINDOWS\system32\BReWErS.dll
2008-04-18 15:15 . 2008-04-18 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 15:14 . 2008-04-18 15:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 14:41 . 2007-09-19 11:14 16,844,800 -r------- C:\WINDOWS\RTHDCPL.exe
2008-04-18 14:41 . 2007-03-23 12:19 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe
2008-04-18 14:41 . 2007-09-19 10:16 4,617,728 -ra------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-04-18 14:41 . 2007-06-28 09:44 2,165,760 -r------- C:\WINDOWS\MicCal.exe
2008-04-18 14:41 . 2007-08-03 06:22 1,826,816 -r------- C:\WINDOWS\SkyTel.exe
2008-04-18 14:41 . 2007-07-26 11:06 1,191,936 -r------- C:\WINDOWS\RtlUpd.exe
2008-04-18 14:41 . 2006-08-17 23:58 282,624 -ra------ C:\WINDOWS\system32\RTSndMgr.cpl
2008-04-18 14:41 . 2006-07-21 09:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-04-18 14:41 . 2005-05-03 11:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-04-18 14:41 . 2006-08-01 08:02 49,152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2008-04-18 14:40 . 2006-05-04 09:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-04-18 14:40 . 2007-07-26 10:09 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-04-18 14:40 . 2005-09-21 03:25 299,008 -ra------ C:\WINDOWS\system32\ALSndMgr.cpl
2008-04-18 00:44 . 2008-04-18 00:44 <DIR> d-------- C:\BIOS
2008-04-18 00:42 . 2008-04-18 00:42 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-18 00:26 . 2008-04-18 00:26 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-18 00:26 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-18 00:26 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-18 00:23 . 2008-04-18 00:56 <DIR> d-------- C:\WINDOWS\NV38963468.TMP
2008-04-18 00:23 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-04-18 00:22 . 2008-04-18 00:22 <DIR> d-------- C:\NVIDIA
2008-04-18 00:17 . 2008-03-01 14:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-18 00:17 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-18 00:17 . 2007-03-08 06:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-18 00:17 . 2008-03-01 14:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-18 00:17 . 2008-03-01 14:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-18 00:17 . 2008-03-01 14:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-18 00:17 . 2008-03-01 14:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-18 00:17 . 2008-03-01 14:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-18 00:17 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 01:55 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-05-15 14:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-15 14:59 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-13 16:00 --------- d-----w C:\Documents and Settings\Kacper\Application Data\uTorrent
2008-05-12 15:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 16:16 --------- d-----w C:\Program Files\Google
2008-04-24 15:21 --------- d-----w C:\Program Files\ESET
2008-04-18 13:40 --------- d-----w C:\Program Files\Realtek
2008-04-17 23:54 --------- d-----w C:\Program Files\Intel
2008-04-17 22:27 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-04-17 22:27 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-04-17 22:25 --------- d-----w C:\Program Files\Futuremark
2008-04-16 00:59 --------- d-----w C:\Documents and Settings\Kacper\Application Data\Microsoft Games
2008-04-16 00:52 --------- d-----w C:\Program Files\uTorrent
2008-04-15 23:58 --------- d-----w C:\Program Files\Microsoft Games
2008-04-15 23:56 --------- d-----w C:\Program Files\Alcohol Soft
2008-04-15 23:47 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-15 23:03 --------- d-----w C:\Program Files\WinImage
2008-04-15 20:44 --------- d-----w C:\Program Files\THQ
2008-04-15 18:47 --------- d-----w C:\Program Files\GameSpy
2008-04-15 18:45 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-04-15 18:45 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-04-15 18:45 22,328 ----a-w C:\Documents and Settings\Kacper\Application Data\PnkBstrK.sys
2008-04-15 18:34 --------- d-----w C:\Program Files\Electronic Arts
2008-04-15 18:23 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-15 18:23 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-04-15 18:23 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-14 23:47 --------- d-----w C:\Program Files\Activision
2008-04-14 19:23 --------- d-----w C:\Program Files\Gothic III
2008-04-14 12:41 --------- d-----w C:\Program Files\CyberLink
2008-04-14 12:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 20:45 271,360 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-13 20:45 18,048 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-13 19:23 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 19:23 --------- d-----w C:\Program Files\Tomb Raider - Anniversary
2008-04-13 19:06 --------- d-----w C:\Program Files\Multimedia Keyboard Driver
2008-04-13 18:57 --------- d-----w C:\Documents and Settings\Kacper\Application Data\InstallShield
2008-04-13 18:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-13 18:48 90,112 ----a-w C:\WINDOWS\DUMP2b26.tmp
2008-04-13 18:43 --------- d-----w C:\Program Files\GIGABYTE
2008-04-13 18:28 --------- d-----w C:\Program Files\XpertVision
2008-04-13 18:15 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2008-03-28 17:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14370F76-7676-44A2-AD11-93A31C5FC9FC}]
2008-05-12 20:11 57344 --a------ C:\WINDOWS\system32\pmnkJcdb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{145AD62D-3300-4EDF-981B-F6F8293ACE83}]
C:\WINDOWS\system32\mlJYSMGy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E25B605-6CD3-45C4-9E2D-DB4805607A8D}]
C:\WINDOWS\system32\cbXNEwtU.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E35D35C-CD96-4464-9F96-081F1B3E8938}]
2008-05-17 21:48 371712 --a------ C:\WINDOWS\system32\mlJYolMf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A236A701-CF9F-48C0-A905-1E23AD5CCE16}]
C:\WINDOWS\system32\geBrpoNe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A94C61D5-D267-4CE3-A9F1-755F11AD1B38}]
C:\WINDOWS\system32\iifgdAtt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 17:42 217544]
"Gadu-Gadu"="K:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 11:04 2127296]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-08 17:16 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\Program Files\XpertVision\TBPanel.exe" [2007-11-27 14:40 2169352]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"GEST"="C:\Program Files\GIGABYTE\GEST\RUN.exe" [2007-12-14 11:46 236040]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 07:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-08-29 09:55 1966080]
"WireLessKeyboard"="C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe" [2005-11-30 12:48 94208]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-15 19:23 949376]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 11:14 16844800 C:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"94beb50c"="C:\WINDOWS\system32\goibrqsg.dll" [2008-05-17 22:00 116224]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 05:15 15872]
"BM978d8690"="C:\WINDOWS\system32\pmqggbdh.dll" [2008-05-17 21:51 125952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{14370F76-7676-44A2-AD11-93A31C5FC9FC}"= C:\WINDOWS\system32\pmnkJcdb.dll [2008-05-12 20:11 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkJcdb]
pmnkJcdb.dll 2008-05-12 20:11 57344 C:\WINDOWS\system32\pmnkJcdb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Kacper^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Kacper\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
--a------ 2007-06-29 15:03 36864 C:\Program Files\GameSpy\Comrade\Comrade.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"K:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
R3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-05-18 02:55]
R3 GEST Service;GEST Service for program management.;"C:\Program Files\GIGABYTE\GEST\GSvr.exe" [2007-12-14 11:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At1.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At2.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At3.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 02:56:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pmnkJcdb.dll
.
------------------------ Other Running Processes ------------------------
.
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-18 3:00:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 02:00:05
Pre-Run: 6,821,576,704 bytes free
Post-Run: 8,737,398,784 bytes free
328 --- E O F --- 2008-05-07 22:08:28
pskelley
2008-05-18, 13:49
I'm sorry, I always need the HijackThis log run after the other tools, that tells us what the tool accomplished.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:46:34, on 2008-05-18
ComboFix 08-05-15.3 - Kacper 2008-05-18 2:50:38.1
so...post a new HJT log. I should point out that combofix removed a lot of jusk, but there are a lot a files
created here >> Files Created from 2008-04-18 to 2008-05-18
that are obviously malware but I have to research them one by one before I can remove them to be sure, so stay offline and be patient.
Thanks
kacper1194
2008-05-18, 18:09
Heres the new HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:15, on 2008-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
K:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\kacper1194.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {14370F76-7676-44A2-AD11-93A31C5FC9FC} - C:\WINDOWS\system32\pmnkJcdb.dll
O2 - BHO: (no name) - {145AD62D-3300-4EDF-981B-F6F8293ACE83} - C:\WINDOWS\system32\mlJYSMGy.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E25B605-6CD3-45C4-9E2D-DB4805607A8D} - C:\WINDOWS\system32\cbXNEwtU.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {944A8BA8-E9A9-48AE-9467-1C7536EAAEC0} - C:\WINDOWS\system32\mlJYolMf.dll
O2 - BHO: (no name) - {A236A701-CF9F-48C0-A905-1E23AD5CCE16} - C:\WINDOWS\system32\geBrpoNe.dll (file missing)
O2 - BHO: (no name) - {A94C61D5-D267-4CE3-A9F1-755F11AD1B38} - C:\WINDOWS\system32\iifgdAtt.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [94beb50c] rundll32.exe "C:\WINDOWS\system32\goibrqsg.dll",b
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BM978d8690] Rundll32.exe "C:\WINDOWS\system32\pmqggbdh.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [Gadu-Gadu] "K:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: pmnkJcdb - C:\WINDOWS\SYSTEM32\pmnkJcdb.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 8027 bytes
pskelley
2008-05-18, 20:24
C:\Program Files\GIGABYTE\GEST\gest.exe <<< can you assure me this is a valid program/service?
gest.exe <<< scans as possible malware.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\pmnkJcdb.dll
C:\WINDOWS\system32\mlJYolMf.dll
C:\WINDOWS\system32\goibrqsg.dll
C:\WINDOWS\system32\pmqggbdh.dll
C:\WINDOWS\system32\oahnaosq.dll
C:\WINDOWS\system32\gyonystq.dll
C:\WINDOWS\system32\gqeauarl.dll
C:\WINDOWS\system32\bxefmlrl.dll
C:\WINDOWS\system32\vypamfgx.dll
C:\WINDOWS\system32\rsrjxyto.dll
C:\WINDOWS\system32\wamxxtbs.dll
C:\WINDOWS\system32\duxegnsb.dll
C:\WINDOWS\system32\yfwofhqr.dll
C:\WINDOWS\system32\malgifxk.dll
C:\WINDOWS\system32\xqymswlg.dll
C:\WINDOWS\system32\bhspethk.dll
C:\WINDOWS\system32\ghyiauwc.dll
C:\WINDOWS\system32\msonpmon.dll
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some lines may be gone, just don't miss any)
O2 - BHO: (no name) - {14370F76-7676-44A2-AD11-93A31C5FC9FC} - C:\WINDOWS\system32\pmnkJcdb.dll
O2 - BHO: (no name) - {145AD62D-3300-4EDF-981B-F6F8293ACE83} - C:\WINDOWS\system32\mlJYSMGy.dll (file missing)
O2 - BHO: (no name) - {6E25B605-6CD3-45C4-9E2D-DB4805607A8D} - C:\WINDOWS\system32\cbXNEwtU.dll (file missing)
O2 - BHO: (no name) - {944A8BA8-E9A9-48AE-9467-1C7536EAAEC0} - C:\WINDOWS\system32\mlJYolMf.dll
O2 - BHO: (no name) - {A236A701-CF9F-48C0-A905-1E23AD5CCE16} - C:\WINDOWS\system32\geBrpoNe.dll (file missing)
O2 - BHO: (no name) - {A94C61D5-D267-4CE3-A9F1-755F11AD1B38} - C:\WINDOWS\system32\iifgdAtt.dll (file missing)
O4 - HKLM\..\Run: [94beb50c] rundll32.exe "C:\WINDOWS\system32\goibrqsg.dll",b
O4 - HKLM\..\Run: [BM978d8690] Rundll32.exe "C:\WINDOWS\system32\pmqggbdh.dll",s
O20 - Winlogon Notify: pmnkJcdb - C:\WINDOWS\SYSTEM32\pmnkJcdb.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the combofix report, a new HJT log and some feedback from you.
Thanks
kacper1194
2008-05-18, 22:53
Ok I've done everything as you've told me to, my computer is running smoothly now random pop-ups and trojan download attempts stopped coming but when I turned on Tea-Timer back on again it started showing that there is files being changed in System32 with random letters same ones you told me to delete before with HJT, when I denyed the change it started spamming denyed changes in system32 same as before
Here's the new ComboFix log
ComboFix 08-05-15.3 - Kacper 2008-05-18 21:48:05.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2736 [GMT 1:00]
Running from: C:\Documents and Settings\Kacper\Desktop\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.
2008-05-18 17:08 . 2008-05-18 17:08 133,120 --a------ C:\WINDOWS\system32\uaerqadd.dll
2008-05-18 17:06 . 2008-05-18 17:06 124,928 --a------ C:\WINDOWS\system32\kumfkvqd.dll
2008-05-18 03:00 . 2008-05-18 17:05 354 --ahs---- C:\WINDOWS\system32\gsqrbiog.ini
2008-05-18 02:50 . 2008-05-18 02:50 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-18 00:21 . 2008-05-18 01:55 354,816 --a----t- C:\WINDOWS\DSCoreItem.dsf
2008-05-18 00:21 . 2008-05-18 00:21 0 --a------ C:\WINDOWS\WoWEmuHackSettings.ini
2008-05-17 16:50 . 2008-05-17 16:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 23:10 . 2008-05-15 23:10 <DIR> d-------- C:\Program Files\Unlocker
2008-05-15 23:00 . 2008-05-15 23:01 <DIR> d-------- C:\!KillBox
2008-05-13 20:41 . 2008-05-17 17:16 963 --a------ C:\WINDOWS\wininit.ini
2008-05-13 20:23 . 2008-05-13 20:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 20:23 . 2008-05-14 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 18:18 . 2008-05-13 18:18 335 --a------ C:\WINDOWS\mozregistry.dat
2008-05-13 17:30 . 2008-05-13 17:30 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-13 17:27 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-13 16:26 . 2008-05-18 20:41 109,807 --a------ C:\WINDOWS\BM978d8690.xml
2008-05-12 20:12 . 2007-02-09 18:34 420,816 --a------ C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
2008-05-12 20:11 . 2008-03-15 17:57 199,445 --a------ C:\Documents and Settings\Kacper\Application Data\toolbar.dll
2008-05-12 20:11 . 2008-05-12 11:56 92,672 --------- C:\Documents and Settings\Kacper\Application Data\dr.exe
2008-05-12 20:11 . 2008-03-15 15:24 82,937 --a------ C:\Documents and Settings\Kacper\Application Data\space1.exe
2008-05-12 17:44 . 2008-05-12 17:44 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\Gadu-Gadu
2008-05-12 07:46 . 2008-05-12 07:46 <DIR> d-------- C:\Logs
2008-05-10 23:21 . 2008-05-10 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-10 01:35 . 2008-05-11 21:02 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-05-09 17:50 . 2006-02-04 03:50 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-05-09 17:50 . 2006-02-04 03:50 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-05-08 20:17 . 2008-05-09 07:38 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\GetRightToGo
2008-05-08 17:33 . 2008-05-08 17:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-05-07 21:28 . 2003-04-04 15:03 57,344 --a------ C:\WINDOWS\system32\_packet.dlluninstall
2008-05-06 19:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-06 19:59 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-06 19:59 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-03 21:27 . 2008-05-03 21:30 <DIR> d-------- C:\Documents and Settings\Kacper\Gadu-Gadu
2008-05-02 22:21 . 2008-05-02 22:21 <DIR> d-------- C:\WINDOWS\Sun
2008-05-02 22:21 . 2008-05-02 22:21 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-05-02 22:20 . 2008-05-02 22:20 <DIR> d-------- C:\Program Files\Java
2008-05-02 22:20 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-02 22:19 . 2008-05-02 22:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-30 16:14 . 2008-04-30 16:14 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-30 01:58 . 2008-04-30 01:58 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-28 15:16 . 2008-04-28 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-27 17:41 . 2008-04-27 17:41 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-27 17:39 . 2008-04-27 17:40 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-27 16:03 . 2008-04-27 16:03 <DIR> d-------- C:\Program Files\MSBuild
2008-04-27 16:03 . 2008-04-27 16:03 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-27 16:01 . 2008-04-27 16:01 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-27 15:59 . 2008-04-27 15:59 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-27 15:58 . 2008-04-27 16:02 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-27 15:58 . 2008-05-18 03:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-27 15:57 . 2008-04-27 15:57 <DIR> dr-h----- C:\MSOCache
2008-04-27 15:37 . 2008-04-27 15:37 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-23 20:22 . 2008-04-23 20:22 <DIR> dr-h----- C:\Documents and Settings\Kacper\Application Data\SecuROM
2008-04-23 19:47 . 2008-05-09 17:44 <DIR> d---s---- C:\Program Files\Xfire
2008-04-23 19:47 . 2008-05-08 17:34 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\Xfire
2008-04-22 10:31 . 2008-04-22 10:31 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\HP
2008-04-22 10:23 . 2008-04-22 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-22 10:23 . 2008-04-22 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-22 10:23 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2008-04-22 10:22 . 2008-04-22 10:22 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\HPAppData
2008-04-22 10:22 . 2008-04-22 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-22 10:21 . 2008-04-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-22 10:21 . 2008-04-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-22 10:20 . 2008-04-22 10:46 <DIR> d-------- C:\Program Files\HP
2008-04-22 10:20 . 2008-04-22 10:20 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-22 10:20 . 2007-03-31 06:11 267,864 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-04-22 10:19 . 2008-04-22 10:24 137,508 --a------ C:\WINDOWS\HPHins15.dat
2008-04-22 10:19 . 2007-08-28 22:16 2,828 --------- C:\WINDOWS\hphmdl15.dat
2008-04-22 09:38 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-22 09:38 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-18 21:37 . 2008-04-18 21:37 5,632 --a------ C:\WINDOWS\system32\BReWErS.dll
2008-04-18 15:15 . 2008-04-18 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 15:14 . 2008-04-18 15:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 14:41 . 2007-09-19 11:14 16,844,800 -r------- C:\WINDOWS\RTHDCPL.exe
2008-04-18 14:41 . 2007-03-23 12:19 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe
2008-04-18 14:41 . 2007-09-19 10:16 4,617,728 -ra------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-04-18 14:41 . 2007-06-28 09:44 2,165,760 -r------- C:\WINDOWS\MicCal.exe
2008-04-18 14:41 . 2007-08-03 06:22 1,826,816 -r------- C:\WINDOWS\SkyTel.exe
2008-04-18 14:41 . 2007-07-26 11:06 1,191,936 -r------- C:\WINDOWS\RtlUpd.exe
2008-04-18 14:41 . 2006-08-17 23:58 282,624 -ra------ C:\WINDOWS\system32\RTSndMgr.cpl
2008-04-18 14:41 . 2006-07-21 09:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-04-18 14:41 . 2005-05-03 11:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-04-18 14:41 . 2006-08-01 08:02 49,152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2008-04-18 14:40 . 2006-05-04 09:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-04-18 14:40 . 2007-07-26 10:09 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-04-18 14:40 . 2005-09-21 03:25 299,008 -ra------ C:\WINDOWS\system32\ALSndMgr.cpl
2008-04-18 00:44 . 2008-04-18 00:44 <DIR> d-------- C:\BIOS
2008-04-18 00:42 . 2008-04-18 00:42 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-18 00:26 . 2008-04-18 00:26 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-18 00:26 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-18 00:26 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-18 00:23 . 2008-04-18 00:56 <DIR> d-------- C:\WINDOWS\NV38963468.TMP
2008-04-18 00:23 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-04-18 00:22 . 2008-04-18 00:22 <DIR> d-------- C:\NVIDIA
2008-04-18 00:17 . 2008-03-01 14:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-18 00:17 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-18 00:17 . 2007-03-08 06:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-18 00:17 . 2008-03-01 14:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-18 00:17 . 2008-03-01 14:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-18 00:17 . 2008-03-01 14:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-18 00:17 . 2008-03-01 14:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-18 00:17 . 2008-03-01 14:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-18 00:17 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 19:40 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-05-18 19:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-15 14:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-15 14:59 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-13 16:00 --------- d-----w C:\Documents and Settings\Kacper\Application Data\uTorrent
2008-05-08 16:16 --------- d-----w C:\Program Files\Google
2008-04-24 15:21 --------- d-----w C:\Program Files\ESET
2008-04-18 13:40 --------- d-----w C:\Program Files\Realtek
2008-04-17 23:54 --------- d-----w C:\Program Files\Intel
2008-04-17 22:27 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-04-17 22:27 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-04-17 22:25 --------- d-----w C:\Program Files\Futuremark
2008-04-16 00:59 --------- d-----w C:\Documents and Settings\Kacper\Application Data\Microsoft Games
2008-04-16 00:52 --------- d-----w C:\Program Files\uTorrent
2008-04-15 23:58 --------- d-----w C:\Program Files\Microsoft Games
2008-04-15 23:56 --------- d-----w C:\Program Files\Alcohol Soft
2008-04-15 23:47 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-15 23:03 --------- d-----w C:\Program Files\WinImage
2008-04-15 20:44 --------- d-----w C:\Program Files\THQ
2008-04-15 18:47 --------- d-----w C:\Program Files\GameSpy
2008-04-15 18:45 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-04-15 18:45 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-04-15 18:45 22,328 ----a-w C:\Documents and Settings\Kacper\Application Data\PnkBstrK.sys
2008-04-15 18:34 --------- d-----w C:\Program Files\Electronic Arts
2008-04-15 18:23 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-15 18:23 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-04-15 18:23 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-14 23:47 --------- d-----w C:\Program Files\Activision
2008-04-14 19:23 --------- d-----w C:\Program Files\Gothic III
2008-04-14 12:41 --------- d-----w C:\Program Files\CyberLink
2008-04-14 12:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 20:45 271,360 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-13 20:45 18,048 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-13 19:23 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 19:23 --------- d-----w C:\Program Files\Tomb Raider - Anniversary
2008-04-13 19:06 --------- d-----w C:\Program Files\Multimedia Keyboard Driver
2008-04-13 18:57 --------- d-----w C:\Documents and Settings\Kacper\Application Data\InstallShield
2008-04-13 18:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-13 18:48 90,112 ----a-w C:\WINDOWS\DUMP2b26.tmp
2008-04-13 18:28 --------- d-----w C:\Program Files\XpertVision
2008-04-13 18:15 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2008-03-28 17:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((( snapshot_2008-05-18_20.02.57.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 18:59:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 20:34:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14370F76-7676-44A2-AD11-93A31C5FC9FC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{145AD62D-3300-4EDF-981B-F6F8293ACE83}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3302b6fe-c10b-410d-9c5c-89bac4677712}]
2008-05-18 17:08 133120 --a------ C:\WINDOWS\system32\uaerqadd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E25B605-6CD3-45C4-9E2D-DB4805607A8D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{805F131E-D1A8-4196-AC9D-2F41FDEE738C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A236A701-CF9F-48C0-A905-1E23AD5CCE16}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A94C61D5-D267-4CE3-A9F1-755F11AD1B38}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 17:42 217544]
"Gadu-Gadu"="K:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 11:04 2127296]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-08 17:16 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\Program Files\XpertVision\TBPanel.exe" [2007-11-27 14:40 2169352]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 07:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-08-29 09:55 1966080]
"WireLessKeyboard"="C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe" [2005-11-30 12:48 94208]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-15 19:23 949376]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 11:14 16844800 C:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 05:15 15872]
"BM978d8690"="C:\WINDOWS\system32\pmqggbdh.dll" [ ]
"GEST"="C:\Program Files\GIGABYTE\GEST\RUN.exe" [ ]
"94beb50c"="C:\WINDOWS\system32\goibrqsg.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkJcdb]
pmnkJcdb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Kacper^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Kacper\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
--a------ 2007-06-29 15:03 36864 C:\Program Files\GameSpy\Comrade\Comrade.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"K:\\Program Files\\Gadu-Gadu\\gg.exe"=
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-05-18 20:40]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At1.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At2.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At3.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 21:48:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-18 21:49:20
ComboFix-quarantined-files.txt 2008-05-18 20:49:17
ComboFix2.txt 2008-05-18 20:40:00
ComboFix3.txt 2008-05-18 19:36:33
ComboFix4.txt 2008-05-18 19:03:11
ComboFix5.txt 2008-05-18 02:00:11
Pre-Run: 22,234,112,000 bytes free
Post-Run: 22,222,553,088 bytes free
272 --- E O F --- 2008-05-18 02:06:02
And here's the HJT log done AFTER the ComboFix scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:52:48, on 2008-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\kacper1194.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {14370F76-7676-44A2-AD11-93A31C5FC9FC} - (no file)
O2 - BHO: (no name) - {145AD62D-3300-4EDF-981B-F6F8293ACE83} - (no file)
O2 - BHO: {2177764c-ab98-c5c9-d014-b01cef6b2033} - {3302b6fe-c10b-410d-9c5c-89bac4677712} - C:\WINDOWS\system32\uaerqadd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E25B605-6CD3-45C4-9E2D-DB4805607A8D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {805F131E-D1A8-4196-AC9D-2F41FDEE738C} - (no file)
O2 - BHO: (no name) - {A236A701-CF9F-48C0-A905-1E23AD5CCE16} - (no file)
O2 - BHO: (no name) - {A94C61D5-D267-4CE3-A9F1-755F11AD1B38} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BM978d8690] Rundll32.exe "C:\WINDOWS\system32\pmqggbdh.dll",s
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [94beb50c] rundll32.exe "C:\WINDOWS\system32\goibrqsg.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [Gadu-Gadu] "K:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: pmnkJcdb - pmnkJcdb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 7833 bytes
pskelley
2008-05-18, 23:05
These were ths instructions:
We need first to disable TeaTimer that it doesn't interfere with fixes.
(leave TT disabled until we finish)
I will not be able to help you if you do not follow directions. Disable TeaTimer as instructed and LEAVE it disabled.
Then read those last directions again and follow them. You did not run the CFScript. If you did this:
C:\Documents and Settings\Kacper\Desktop\ComboFix.exe
would read: C:\Documents and Settings\Kacper\Desktop\CFScript.txt
kacper1194
2008-05-19, 19:09
Ok I'm sorry
And yes I did run the script restarted and done another scan and that was the log from the second scan.
Now that' the new logs
ComboFix log
ComboFix 08-05-15.3 - Kacper 2008-05-19 18:03:25.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2737 [GMT 1:00]
Running from: C:\Documents and Settings\Kacper\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kacper\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\bhspethk.dll
C:\WINDOWS\system32\bxefmlrl.dll
C:\WINDOWS\system32\duxegnsb.dll
C:\WINDOWS\system32\ghyiauwc.dll
C:\WINDOWS\system32\goibrqsg.dll
C:\WINDOWS\system32\gqeauarl.dll
C:\WINDOWS\system32\gyonystq.dll
C:\WINDOWS\system32\malgifxk.dll
C:\WINDOWS\system32\mlJYolMf.dll
C:\WINDOWS\system32\msonpmon.dll
C:\WINDOWS\system32\oahnaosq.dll
C:\WINDOWS\system32\pmnkJcdb.dll
C:\WINDOWS\system32\pmqggbdh.dll
C:\WINDOWS\system32\rsrjxyto.dll
C:\WINDOWS\system32\vypamfgx.dll
C:\WINDOWS\system32\wamxxtbs.dll
C:\WINDOWS\system32\xqymswlg.dll
C:\WINDOWS\system32\yfwofhqr.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-18 17:08 . 2008-05-18 17:08 133,120 --a------ C:\WINDOWS\system32\uaerqadd.dll
2008-05-18 17:06 . 2008-05-18 17:06 124,928 --a------ C:\WINDOWS\system32\kumfkvqd.dll
2008-05-18 03:00 . 2008-05-18 17:05 354 --ahs---- C:\WINDOWS\system32\gsqrbiog.ini
2008-05-18 02:50 . 2008-05-18 02:50 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-18 00:21 . 2008-05-18 01:55 354,816 --a----t- C:\WINDOWS\DSCoreItem.dsf
2008-05-18 00:21 . 2008-05-18 00:21 0 --a------ C:\WINDOWS\WoWEmuHackSettings.ini
2008-05-17 16:50 . 2008-05-17 16:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 23:10 . 2008-05-15 23:10 <DIR> d-------- C:\Program Files\Unlocker
2008-05-15 23:00 . 2008-05-15 23:01 <DIR> d-------- C:\!KillBox
2008-05-13 20:41 . 2008-05-17 17:16 963 --a------ C:\WINDOWS\wininit.ini
2008-05-13 20:23 . 2008-05-13 20:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 20:23 . 2008-05-14 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 18:18 . 2008-05-13 18:18 335 --a------ C:\WINDOWS\mozregistry.dat
2008-05-13 17:30 . 2008-05-13 17:30 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-13 17:27 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-13 16:26 . 2008-05-18 20:41 109,807 --a------ C:\WINDOWS\BM978d8690.xml
2008-05-12 20:12 . 2007-02-09 18:34 420,816 --a------ C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
2008-05-12 20:11 . 2008-03-15 17:57 199,445 --a------ C:\Documents and Settings\Kacper\Application Data\toolbar.dll
2008-05-12 20:11 . 2008-05-12 11:56 92,672 --------- C:\Documents and Settings\Kacper\Application Data\dr.exe
2008-05-12 20:11 . 2008-03-15 15:24 82,937 --a------ C:\Documents and Settings\Kacper\Application Data\space1.exe
2008-05-12 17:44 . 2008-05-12 17:44 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\Gadu-Gadu
2008-05-12 07:46 . 2008-05-12 07:46 <DIR> d-------- C:\Logs
2008-05-10 23:21 . 2008-05-10 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-10 01:35 . 2008-05-11 21:02 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-05-09 17:50 . 2006-02-04 03:50 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-05-09 17:50 . 2006-02-04 03:50 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-05-08 20:17 . 2008-05-09 07:38 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\GetRightToGo
2008-05-08 17:33 . 2008-05-08 17:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-05-07 21:28 . 2003-04-04 15:03 57,344 --a------ C:\WINDOWS\system32\_packet.dlluninstall
2008-05-06 19:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-06 19:59 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-06 19:59 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-03 21:27 . 2008-05-03 21:30 <DIR> d-------- C:\Documents and Settings\Kacper\Gadu-Gadu
2008-05-02 22:21 . 2008-05-02 22:21 <DIR> d-------- C:\WINDOWS\Sun
2008-05-02 22:21 . 2008-05-02 22:21 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-05-02 22:20 . 2008-05-02 22:20 <DIR> d-------- C:\Program Files\Java
2008-05-02 22:20 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-02 22:19 . 2008-05-02 22:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-30 16:14 . 2008-04-30 16:14 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-30 01:58 . 2008-04-30 01:58 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-28 15:16 . 2008-04-28 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-27 17:41 . 2008-04-27 17:41 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-27 17:39 . 2008-04-27 17:40 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-27 16:03 . 2008-04-27 16:03 <DIR> d-------- C:\Program Files\MSBuild
2008-04-27 16:03 . 2008-04-27 16:03 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-27 16:01 . 2008-04-27 16:01 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-27 15:59 . 2008-04-27 15:59 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-27 15:58 . 2008-04-27 16:02 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-27 15:58 . 2008-05-18 03:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-27 15:57 . 2008-04-27 15:57 <DIR> dr-h----- C:\MSOCache
2008-04-27 15:37 . 2008-04-27 15:37 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-23 20:22 . 2008-04-23 20:22 <DIR> dr-h----- C:\Documents and Settings\Kacper\Application Data\SecuROM
2008-04-23 19:47 . 2008-05-09 17:44 <DIR> d---s---- C:\Program Files\Xfire
2008-04-23 19:47 . 2008-05-08 17:34 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\Xfire
2008-04-22 10:31 . 2008-04-22 10:31 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\HP
2008-04-22 10:23 . 2008-04-22 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-22 10:23 . 2008-04-22 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-22 10:23 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2008-04-22 10:22 . 2008-04-22 10:22 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\HPAppData
2008-04-22 10:22 . 2008-04-22 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-22 10:21 . 2008-04-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-22 10:21 . 2008-04-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-22 10:20 . 2008-04-22 10:46 <DIR> d-------- C:\Program Files\HP
2008-04-22 10:20 . 2008-04-22 10:20 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-22 10:20 . 2007-03-31 06:11 267,864 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-04-22 10:19 . 2008-04-22 10:24 137,508 --a------ C:\WINDOWS\HPHins15.dat
2008-04-22 10:19 . 2007-08-28 22:16 2,828 --------- C:\WINDOWS\hphmdl15.dat
2008-04-22 09:38 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-22 09:38 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 19:40 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-05-18 19:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-15 14:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-15 14:59 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-13 16:00 --------- d-----w C:\Documents and Settings\Kacper\Application Data\uTorrent
2008-05-08 16:16 --------- d-----w C:\Program Files\Google
2008-04-24 15:21 --------- d-----w C:\Program Files\ESET
2008-04-18 20:37 5,632 ----a-w C:\WINDOWS\system32\BReWErS.dll
2008-04-18 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 14:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 13:40 --------- d-----w C:\Program Files\Realtek
2008-04-17 23:54 --------- d-----w C:\Program Files\Intel
2008-04-17 22:27 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-04-17 22:27 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-04-17 22:25 --------- d-----w C:\Program Files\Futuremark
2008-04-16 00:59 --------- d-----w C:\Documents and Settings\Kacper\Application Data\Microsoft Games
2008-04-16 00:52 --------- d-----w C:\Program Files\uTorrent
2008-04-15 23:58 --------- d-----w C:\Program Files\Microsoft Games
2008-04-15 23:56 --------- d-----w C:\Program Files\Alcohol Soft
2008-04-15 23:47 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-15 23:03 --------- d-----w C:\Program Files\WinImage
2008-04-15 20:44 --------- d-----w C:\Program Files\THQ
2008-04-15 18:47 --------- d-----w C:\Program Files\GameSpy
2008-04-15 18:45 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-04-15 18:45 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-04-15 18:45 22,328 ----a-w C:\Documents and Settings\Kacper\Application Data\PnkBstrK.sys
2008-04-15 18:34 --------- d-----w C:\Program Files\Electronic Arts
2008-04-15 18:23 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-15 18:23 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-04-15 18:23 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-14 23:47 --------- d-----w C:\Program Files\Activision
2008-04-14 19:23 --------- d-----w C:\Program Files\Gothic III
2008-04-14 12:41 --------- d-----w C:\Program Files\CyberLink
2008-04-14 12:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 20:45 271,360 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-13 20:45 18,048 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-13 19:23 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 19:23 --------- d-----w C:\Program Files\Tomb Raider - Anniversary
2008-04-13 19:06 --------- d-----w C:\Program Files\Multimedia Keyboard Driver
2008-04-13 18:57 --------- d-----w C:\Documents and Settings\Kacper\Application Data\InstallShield
2008-04-13 18:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-13 18:48 90,112 ----a-w C:\WINDOWS\DUMP2b26.tmp
2008-04-13 18:28 --------- d-----w C:\Program Files\XpertVision
2008-04-13 18:15 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2008-03-28 17:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-19 17:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-19 17:26 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((( snapshot_2008-05-18_20.02.57.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 18:59:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 16:18:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14370F76-7676-44A2-AD11-93A31C5FC9FC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{145AD62D-3300-4EDF-981B-F6F8293ACE83}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3302b6fe-c10b-410d-9c5c-89bac4677712}]
2008-05-18 17:08 133120 --a------ C:\WINDOWS\system32\uaerqadd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E25B605-6CD3-45C4-9E2D-DB4805607A8D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{805F131E-D1A8-4196-AC9D-2F41FDEE738C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A236A701-CF9F-48C0-A905-1E23AD5CCE16}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A94C61D5-D267-4CE3-A9F1-755F11AD1B38}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 17:42 217544]
"Gadu-Gadu"="K:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 11:04 2127296]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-08 17:16 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\Program Files\XpertVision\TBPanel.exe" [2007-11-27 14:40 2169352]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 07:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-08-29 09:55 1966080]
"WireLessKeyboard"="C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe" [2005-11-30 12:48 94208]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-15 19:23 949376]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 11:14 16844800 C:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 05:15 15872]
"BM978d8690"="C:\WINDOWS\system32\pmqggbdh.dll" [ ]
"GEST"="C:\Program Files\GIGABYTE\GEST\RUN.exe" [ ]
"94beb50c"="C:\WINDOWS\system32\goibrqsg.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkJcdb]
pmnkJcdb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Kacper^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Kacper\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
--a------ 2007-06-29 15:03 36864 C:\Program Files\GameSpy\Comrade\Comrade.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"K:\\Program Files\\Gadu-Gadu\\gg.exe"=
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-05-18 20:40]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At1.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At2.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At3.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 18:05:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-19 18:06:12
ComboFix-quarantined-files.txt 2008-05-19 17:06:09
ComboFix2.txt 2008-05-18 20:49:20
ComboFix3.txt 2008-05-18 20:40:00
ComboFix4.txt 2008-05-18 19:36:33
ComboFix5.txt 2008-05-18 19:03:11
Pre-Run: 22,202,974,208 bytes free
Post-Run: 22,190,841,856 bytes free
265 --- E O F --- 2008-05-18 02:06:02
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:07:12, on 2008-05-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\kacper1194.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {14370F76-7676-44A2-AD11-93A31C5FC9FC} - (no file)
O2 - BHO: (no name) - {145AD62D-3300-4EDF-981B-F6F8293ACE83} - (no file)
O2 - BHO: {2177764c-ab98-c5c9-d014-b01cef6b2033} - {3302b6fe-c10b-410d-9c5c-89bac4677712} - C:\WINDOWS\system32\uaerqadd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E25B605-6CD3-45C4-9E2D-DB4805607A8D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {805F131E-D1A8-4196-AC9D-2F41FDEE738C} - (no file)
O2 - BHO: (no name) - {A236A701-CF9F-48C0-A905-1E23AD5CCE16} - (no file)
O2 - BHO: (no name) - {A94C61D5-D267-4CE3-A9F1-755F11AD1B38} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BM978d8690] Rundll32.exe "C:\WINDOWS\system32\pmqggbdh.dll",s
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [94beb50c] rundll32.exe "C:\WINDOWS\system32\goibrqsg.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [Gadu-Gadu] "K:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: pmnkJcdb - pmnkJcdb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 7749 bytes
Oh and I deleted the Gest.exe was an optional power saver which I didn't use at all so I uninstalled it, it cam with my GIGABYTE motherboard drivers cd
pskelley
2008-05-19, 19:46
Please read and follow the directions exactly as posted, this is a lot of additonal work for both of us:sad:
Have a look at this topic:
http://forums.spybot.info/showthread.php?t=28136
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
Please notice the items under
FILE ::
C:\WINDOWS\BM434f52a0.xml
etc.
all appear again under Other Deletions.
Now looks at your topic:
http://forums.spybot.info/showthread.php?p=193213#post193213
the items under
FILE ::
C:\WINDOWS\system32\bhspethk.dll
etc.
do not appear as deleted items. Try the combofix Script instructions again, if it does not show them as Other Deletions, then we will have to delete them manually:
I know it has not worked because the files are still in the HJT log.
INSTRUCTIONS
Open notepad and copy/paste the text in the codebox below into it:
FILE ::
C:\WINDOWS\system32\bhspethk.dll
C:\WINDOWS\system32\bxefmlrl.dll
C:\WINDOWS\system32\duxegnsb.dll
C:\WINDOWS\system32\ghyiauwc.dll
C:\WINDOWS\system32\goibrqsg.dll
C:\WINDOWS\system32\gqeauarl.dll
C:\WINDOWS\system32\gyonystq.dll
C:\WINDOWS\system32\malgifxk.dll
C:\WINDOWS\system32\mlJYolMf.dll
C:\WINDOWS\system32\msonpmon.dll
C:\WINDOWS\system32\oahnaosq.dll
C:\WINDOWS\system32\pmnkJcdb.dll
C:\WINDOWS\system32\pmqggbdh.dll
C:\WINDOWS\system32\rsrjxyto.dll
C:\WINDOWS\system32\vypamfgx.dll
C:\WINDOWS\system32\wamxxtbs.dll
C:\WINDOWS\system32\xqymswlg.dll
C:\WINDOWS\system32\yfwofhqr.dll
C:\WINDOWS\system32\uaerqadd.dll
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Post the combofix log and a new HJT log
kacper1194
2008-05-19, 22:55
Ok so I've done the ComboFix in safe mode still I think it didn't work
ComboFix log
ComboFix 08-05-15.3 - Kacper 2008-05-19 21:42:14.7 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.3057 [GMT 1:00]
Running from: C:\Documents and Settings\Kacper\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kacper\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-18 17:08 . 2008-05-18 17:08 133,120 --a------ C:\WINDOWS\system32\uaerqadd.dll
2008-05-18 17:06 . 2008-05-18 17:06 124,928 --a------ C:\WINDOWS\system32\kumfkvqd.dll
2008-05-18 03:00 . 2008-05-18 17:05 354 --ahs---- C:\WINDOWS\system32\gsqrbiog.ini
2008-05-18 02:50 . 2008-05-18 02:50 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-18 00:21 . 2008-05-19 20:34 354,816 --a----t- C:\WINDOWS\DSCoreItem.dsf
2008-05-18 00:21 . 2008-05-18 00:21 0 --a------ C:\WINDOWS\WoWEmuHackSettings.ini
2008-05-17 16:50 . 2008-05-17 16:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 23:10 . 2008-05-15 23:10 <DIR> d-------- C:\Program Files\Unlocker
2008-05-15 23:00 . 2008-05-15 23:01 <DIR> d-------- C:\!KillBox
2008-05-13 20:41 . 2008-05-17 17:16 963 --a------ C:\WINDOWS\wininit.ini
2008-05-13 20:23 . 2008-05-13 20:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 20:23 . 2008-05-14 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 18:18 . 2008-05-13 18:18 335 --a------ C:\WINDOWS\mozregistry.dat
2008-05-13 17:30 . 2008-05-13 17:30 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-13 17:27 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-13 16:26 . 2008-05-18 20:41 109,807 --a------ C:\WINDOWS\BM978d8690.xml
2008-05-12 20:12 . 2007-02-09 18:34 420,816 --a------ C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
2008-05-12 20:11 . 2008-03-15 17:57 199,445 --a------ C:\Documents and Settings\Kacper\Application Data\toolbar.dll
2008-05-12 20:11 . 2008-05-12 11:56 92,672 --------- C:\Documents and Settings\Kacper\Application Data\dr.exe
2008-05-12 20:11 . 2008-03-15 15:24 82,937 --a------ C:\Documents and Settings\Kacper\Application Data\space1.exe
2008-05-12 17:44 . 2008-05-12 17:44 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\Gadu-Gadu
2008-05-12 07:46 . 2008-05-12 07:46 <DIR> d-------- C:\Logs
2008-05-10 23:21 . 2008-05-10 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-10 01:35 . 2008-05-11 21:02 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-05-09 17:50 . 2006-02-04 03:50 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-05-09 17:50 . 2006-02-04 03:50 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-05-08 20:17 . 2008-05-09 07:38 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\GetRightToGo
2008-05-08 17:33 . 2008-05-08 17:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-05-07 21:28 . 2003-04-04 15:03 57,344 --a------ C:\WINDOWS\system32\_packet.dlluninstall
2008-05-06 19:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-06 19:59 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-06 19:59 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-03 21:27 . 2008-05-03 21:30 <DIR> d-------- C:\Documents and Settings\Kacper\Gadu-Gadu
2008-05-02 22:21 . 2008-05-02 22:21 <DIR> d-------- C:\WINDOWS\Sun
2008-05-02 22:21 . 2008-05-02 22:21 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-05-02 22:20 . 2008-05-02 22:20 <DIR> d-------- C:\Program Files\Java
2008-05-02 22:20 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-02 22:19 . 2008-05-02 22:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-30 16:14 . 2008-04-30 16:14 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-30 01:58 . 2008-04-30 01:58 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-28 15:16 . 2008-04-28 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-27 17:41 . 2008-04-27 17:41 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-27 17:39 . 2008-04-27 17:40 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-27 16:03 . 2008-04-27 16:03 <DIR> d-------- C:\Program Files\MSBuild
2008-04-27 16:03 . 2008-04-27 16:03 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-27 16:01 . 2008-04-27 16:01 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-27 15:59 . 2008-04-27 15:59 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-27 15:58 . 2008-04-27 16:02 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-27 15:58 . 2008-05-18 03:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-27 15:57 . 2008-04-27 15:57 <DIR> dr-h----- C:\MSOCache
2008-04-27 15:37 . 2008-04-27 15:37 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-23 20:22 . 2008-04-23 20:22 <DIR> dr-h----- C:\Documents and Settings\Kacper\Application Data\SecuROM
2008-04-23 19:47 . 2008-05-09 17:44 <DIR> d---s---- C:\Program Files\Xfire
2008-04-23 19:47 . 2008-05-08 17:34 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\Xfire
2008-04-22 10:31 . 2008-04-22 10:31 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\HP
2008-04-22 10:23 . 2008-04-22 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-22 10:23 . 2008-04-22 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-22 10:23 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2008-04-22 10:22 . 2008-04-22 10:22 <DIR> d-------- C:\Documents and Settings\Kacper\Application Data\HPAppData
2008-04-22 10:22 . 2008-04-22 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-22 10:21 . 2008-04-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-22 10:21 . 2008-04-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-22 10:20 . 2008-04-22 10:46 <DIR> d-------- C:\Program Files\HP
2008-04-22 10:20 . 2008-04-22 10:20 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-22 10:20 . 2007-03-31 06:11 267,864 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-04-22 10:19 . 2008-04-22 10:24 137,508 --a------ C:\WINDOWS\HPHins15.dat
2008-04-22 10:19 . 2007-08-28 22:16 2,828 --------- C:\WINDOWS\hphmdl15.dat
2008-04-22 09:38 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-22 09:38 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 19:40 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-05-18 19:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-15 14:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-15 14:59 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-13 16:00 --------- d-----w C:\Documents and Settings\Kacper\Application Data\uTorrent
2008-05-08 16:16 --------- d-----w C:\Program Files\Google
2008-04-24 15:21 --------- d-----w C:\Program Files\ESET
2008-04-18 20:37 5,632 ----a-w C:\WINDOWS\system32\BReWErS.dll
2008-04-18 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 14:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 13:40 --------- d-----w C:\Program Files\Realtek
2008-04-17 23:54 --------- d-----w C:\Program Files\Intel
2008-04-17 22:27 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-04-17 22:27 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-04-17 22:25 --------- d-----w C:\Program Files\Futuremark
2008-04-16 00:59 --------- d-----w C:\Documents and Settings\Kacper\Application Data\Microsoft Games
2008-04-16 00:52 --------- d-----w C:\Program Files\uTorrent
2008-04-15 23:58 --------- d-----w C:\Program Files\Microsoft Games
2008-04-15 23:56 --------- d-----w C:\Program Files\Alcohol Soft
2008-04-15 23:47 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-15 23:03 --------- d-----w C:\Program Files\WinImage
2008-04-15 20:44 --------- d-----w C:\Program Files\THQ
2008-04-15 18:47 --------- d-----w C:\Program Files\GameSpy
2008-04-15 18:45 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-04-15 18:45 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-04-15 18:45 22,328 ----a-w C:\Documents and Settings\Kacper\Application Data\PnkBstrK.sys
2008-04-15 18:34 --------- d-----w C:\Program Files\Electronic Arts
2008-04-15 18:23 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-15 18:23 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-04-15 18:23 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-14 23:47 --------- d-----w C:\Program Files\Activision
2008-04-14 19:23 --------- d-----w C:\Program Files\Gothic III
2008-04-14 12:41 --------- d-----w C:\Program Files\CyberLink
2008-04-14 12:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 20:45 271,360 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-13 20:45 18,048 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-13 19:23 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 19:23 --------- d-----w C:\Program Files\Tomb Raider - Anniversary
2008-04-13 19:06 --------- d-----w C:\Program Files\Multimedia Keyboard Driver
2008-04-13 18:57 --------- d-----w C:\Documents and Settings\Kacper\Application Data\InstallShield
2008-04-13 18:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-13 18:48 90,112 ----a-w C:\WINDOWS\DUMP2b26.tmp
2008-04-13 18:28 --------- d-----w C:\Program Files\XpertVision
2008-04-13 18:15 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2008-03-28 17:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-19 17:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-19 17:26 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((( snapshot_2008-05-18_20.02.57.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 18:59:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 20:39:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14370F76-7676-44A2-AD11-93A31C5FC9FC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{145AD62D-3300-4EDF-981B-F6F8293ACE83}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3302b6fe-c10b-410d-9c5c-89bac4677712}]
2008-05-18 17:08 133120 --a------ C:\WINDOWS\system32\uaerqadd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E25B605-6CD3-45C4-9E2D-DB4805607A8D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{805F131E-D1A8-4196-AC9D-2F41FDEE738C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A236A701-CF9F-48C0-A905-1E23AD5CCE16}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A94C61D5-D267-4CE3-A9F1-755F11AD1B38}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 17:42 217544]
"Gadu-Gadu"="K:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 11:04 2127296]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-08 17:16 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\Program Files\XpertVision\TBPanel.exe" [2007-11-27 14:40 2169352]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 07:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-08-29 09:55 1966080]
"WireLessKeyboard"="C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe" [2005-11-30 12:48 94208]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-15 19:23 949376]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 11:14 16844800 C:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 05:15 15872]
"BM978d8690"="C:\WINDOWS\system32\pmqggbdh.dll" [ ]
"GEST"="C:\Program Files\GIGABYTE\GEST\RUN.exe" [ ]
"94beb50c"="C:\WINDOWS\system32\goibrqsg.dll" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 13:00 158208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkJcdb]
pmnkJcdb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Kacper^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Kacper\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
--a------ 2007-06-29 15:03 36864 C:\Program Files\GameSpy\Comrade\Comrade.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"K:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"K:\\Program Files\\Gadu-Gadu\\gg.exe"=
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-05-18 20:40]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At1.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At2.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
"2008-05-12 19:12:12 C:\WINDOWS\Tasks\At3.job"
- C:\Documents and Settings\Kacper\Application Data\wunauclt.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 21:44:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-19 21:45:43
ComboFix-quarantined-files.txt 2008-05-19 20:45:30
ComboFix2.txt 2008-05-19 17:06:13
ComboFix3.txt 2008-05-18 20:49:20
ComboFix4.txt 2008-05-18 20:40:00
ComboFix5.txt 2008-05-18 19:36:33
Pre-Run: 22,161,928,192 bytes free
Post-Run: 22,149,885,952 bytes free
245 --- E O F --- 2008-05-18 02:06:02
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:52:59, on 2008-05-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\kacper1194.exe
C:\WINDOWS\system32\taskmgr.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {14370F76-7676-44A2-AD11-93A31C5FC9FC} - (no file)
O2 - BHO: (no name) - {145AD62D-3300-4EDF-981B-F6F8293ACE83} - (no file)
O2 - BHO: {2177764c-ab98-c5c9-d014-b01cef6b2033} - {3302b6fe-c10b-410d-9c5c-89bac4677712} - C:\WINDOWS\system32\uaerqadd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E25B605-6CD3-45C4-9E2D-DB4805607A8D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {805F131E-D1A8-4196-AC9D-2F41FDEE738C} - (no file)
O2 - BHO: (no name) - {A236A701-CF9F-48C0-A905-1E23AD5CCE16} - (no file)
O2 - BHO: (no name) - {A94C61D5-D267-4CE3-A9F1-755F11AD1B38} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BM978d8690] Rundll32.exe "C:\WINDOWS\system32\pmqggbdh.dll",s
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [94beb50c] rundll32.exe "C:\WINDOWS\system32\goibrqsg.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [Gadu-Gadu] "K:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: pmnkJcdb - pmnkJcdb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 7650 bytes
pskelley
2008-05-20, 00:03
This is making me frustrated, it has to be hard on you. Let's try this tool, please follow the directions exactly as posted:
Please download the OTMoveIt2 by OldTimer.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Save it to your Desktop
right click on the OTmoveIt2 icon on your desktop
chose "run as admin"
window opens
copy/paste the list below into the left hand side, under all the tabs
C:\WINDOWS\system32\pmnkJcdb.dll
C:\WINDOWS\system32\mlJYolMf.dll
C:\WINDOWS\system32\goibrqsg.dll
C:\WINDOWS\system32\pmqggbdh.dll
C:\WINDOWS\system32\oahnaosq.dll
C:\WINDOWS\system32\gyonystq.dll
C:\WINDOWS\system32\gqeauarl.dll
C:\WINDOWS\system32\bxefmlrl.dll
C:\WINDOWS\system32\vypamfgx.dll
C:\WINDOWS\system32\rsrjxyto.dll
C:\WINDOWS\system32\wamxxtbs.dll
C:\WINDOWS\system32\duxegnsb.dll
C:\WINDOWS\system32\yfwofhqr.dll
C:\WINDOWS\system32\malgifxk.dll
C:\WINDOWS\system32\xqymswlg.dll
C:\WINDOWS\system32\bhspethk.dll
C:\WINDOWS\system32\ghyiauwc.dll
C:\WINDOWS\system32\msonpmon.dll
once pasted in , click the move it button
may be prompted to reboot computer.
after the reboot, navigate to C:\ _OTMoveIt\Moved Files. folders are date and time stamped.
in the right hand pane you should see a log (.txt) file with the results, please post the log and a new HJT log.
Thanks
kacper1194
2008-05-20, 21:43
It didn't work and does the "Run as admin" refer only to vista users or also xp? So I have tried to start it normally and doing it(by double-click) and that's what came up
http://img509.imageshack.us/img509/2504/imgob4.th.jpg (http://img509.imageshack.us/my.php?image=imgob4.jpg)
kacper1194
2008-05-20, 21:45
Oh and that's the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:44:49, on 2008-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\kacper1194.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {14370F76-7676-44A2-AD11-93A31C5FC9FC} - (no file)
O2 - BHO: (no name) - {145AD62D-3300-4EDF-981B-F6F8293ACE83} - (no file)
O2 - BHO: {2177764c-ab98-c5c9-d014-b01cef6b2033} - {3302b6fe-c10b-410d-9c5c-89bac4677712} - C:\WINDOWS\system32\uaerqadd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E25B605-6CD3-45C4-9E2D-DB4805607A8D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {805F131E-D1A8-4196-AC9D-2F41FDEE738C} - (no file)
O2 - BHO: (no name) - {A236A701-CF9F-48C0-A905-1E23AD5CCE16} - (no file)
O2 - BHO: (no name) - {A94C61D5-D267-4CE3-A9F1-755F11AD1B38} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BM978d8690] Rundll32.exe "C:\WINDOWS\system32\pmqggbdh.dll",s
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [94beb50c] rundll32.exe "C:\WINDOWS\system32\goibrqsg.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [Gadu-Gadu] "K:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: pmnkJcdb - pmnkJcdb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 7617 bytes
pskelley
2008-05-20, 22:05
Seems nothing is going to work, let see what MBAM does. Please follow the directions.
Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
After you do that and post the information here, then look at this information.
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
kacper1194
2008-05-23, 21:17
Sorry I waited so long to post a reply but I was away for a bit
I would rather not install the recovery console if it's not necessary for
This is the Malwarebytes' Anti-Malware log from 3 days back when I didn't really have time to upload it and i guess it worked
Malwarebytes' Anti-Malware 1.12
Database version: 771
Scan type: Full Scan (C:\|K:\|)
Objects scanned: 129729
Time elapsed: 25 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\94beb50c (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM978d8690 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\gqeauarl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\oahnaosq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rsrjxyto.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C93799AE-E10C-43D4-8324-961DDA268542}\RP77\A0023487.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C93799AE-E10C-43D4-8324-961DDA268542}\RP77\A0023492.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C93799AE-E10C-43D4-8324-961DDA268542}\RP77\A0023495.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_packet.dlluninstall (Spyware.Agent) -> Quarantined and deleted successfully.
And this is the log from today when I scanned it and it didn't detect anything
Malwarebytes' Anti-Malware 1.12
Database version: 771
Scan type: Full Scan (C:\|K:\|)
Objects scanned: 129893
Time elapsed: 25 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
And here's the HJT log from today
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:39, on 2008-05-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\kacper1194.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {14370F76-7676-44A2-AD11-93A31C5FC9FC} - (no file)
O2 - BHO: (no name) - {145AD62D-3300-4EDF-981B-F6F8293ACE83} - (no file)
O2 - BHO: {2177764c-ab98-c5c9-d014-b01cef6b2033} - {3302b6fe-c10b-410d-9c5c-89bac4677712} - C:\WINDOWS\system32\uaerqadd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E25B605-6CD3-45C4-9E2D-DB4805607A8D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {805F131E-D1A8-4196-AC9D-2F41FDEE738C} - (no file)
O2 - BHO: (no name) - {A236A701-CF9F-48C0-A905-1E23AD5CCE16} - (no file)
O2 - BHO: (no name) - {A94C61D5-D267-4CE3-A9F1-755F11AD1B38} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [Gadu-Gadu] "K:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: pmnkJcdb - pmnkJcdb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 7435 bytes
pskelley
2008-05-23, 22:35
This computer is still infected, we may not get it clean? Please follow the directions as posted.
1) Delete combofix and the C:\QooBox\Quarantine\ folder from the computer. <<< these instructions are important, we may need to use this tool again and if we do we want a new version completely.
2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
3) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
5) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
6) Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\system32\uaerqadd.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {14370F76-7676-44A2-AD11-93A31C5FC9FC} - (no file)
O2 - BHO: (no name) - {145AD62D-3300-4EDF-981B-F6F8293ACE83} - (no file)
O2 - BHO: {2177764c-ab98-c5c9-d014-b01cef6b2033} - {3302b6fe-c10b-410d-9c5c-89bac4677712} - C:\WINDOWS\system32\uaerqadd.dll
O2 - BHO: (no name) - {6E25B605-6CD3-45C4-9E2D-DB4805607A8D} - (no file)
O2 - BHO: (no name) - {805F131E-D1A8-4196-AC9D-2F41FDEE738C} - (no file)
O2 - BHO: (no name) - {A236A701-CF9F-48C0-A905-1E23AD5CCE16} - (no file)
O2 - BHO: (no name) - {A94C61D5-D267-4CE3-A9F1-755F11AD1B38} - (no file)
O20 - Winlogon Notify: pmnkJcdb - pmnkJcdb.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post a new HJT log
Thanks
kacper1194
2008-05-24, 01:46
I guess it worked now because none of the files I deleted displayed again after the restart
Here's the HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:44:06, on 2008-05-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
K:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\kacper1194.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [Gadu-Gadu] "K:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 6845 bytes
pskelley
2008-05-24, 02:00
Thanks for the feedback, looks clean.
C:\Program Files\Java\jre1.6.0_05\ <<< I believe Java needs an update, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
kacper1194
2008-05-24, 14:36
Ok thanks a lot for help I will look up these websites later :)