:oops:Zlob DNSchanger has taken over hii guys please help

Status
Not open for further replies.
OK....
What are you guys doing over there??

Now you have password stealing trojans bundled with a worm that is gunna take over the hard drive & fill it up. :eek:

You better not be downloading cracks & keygens.... that is the only place I see where this junk comes from.

That log is HUGE!! :lip:
Can you zip it and attach it to your next reply please.

Gimme a few min to do next fix..
Don't reboot yet cus spybot has a billion files to nuke & its prolly gunna crash trying.

Hang on a few ok?
 
agh i already roobet omg no i havent download keygen i been using limewire buti thought giving me promblems so i detle it omg i dont want nothing happen on my computer my college exams on here agh please help how do i zip it??
 
Well somebody downloaded/ran a keygen or crack.
Limewire has to be one of the most dangerous p2p programs out there.
Almost everything on their networks is infected with some sorta junk.

Ok...

Since you rebooted I need you to make a new Hijackthis log.
If it is huge like the other one please do this:

Right click the new Hijackthis log you made> send to> "compressed (zipped) folder"

Attach the file called Hijackthis.zip.

Check this too please.
Open Spybot
Click "recovery"
If there is a TON of junk there --- right click in list window> select all> delete all selected.

I'll let ya know what next when I see the hijackthis log.

Thanks :)
 
and i already detle limewire is it still on my computer??
Click to expand...

I dunno yet. If it is we'll remove it.
I shall see it in next log.

We are getting to the point where things are getting difficult.
If you don't watch what the heck you guys are doing over there --- you will end up having to format!
Very often these keygens and cracks come with file infecting viruses which basically means a hosed system. :spider:
Right now you have no antivirus so you are at high risk.
And if you guys have a network these infections could very well be on the other systems as well meaning entire network may be infected.

These things are not funny.
You have worms that are trying to steal your passwords, your system could very well be being used as a spambot sending email spam to everyone on the planet (which also means your ISP may stop your internet services for spamming)
Your system could also be being used to attack other machines. (again if ISP sees this they can cut your services)

I have attached a file called fix.zip

Please download this & save it to your desktop.

Right click it> extract all> follow wizard to extract files.
Open Fix folder and double click "fix.reg"
Answer yes when it asks if you want to add contents to registry.
Should get success message.

Delete fix folder when done.

Next download new copy of ComboFix from here:

http://subs.geekstogo.com/ComboFix.exe

Save it to desktop & let it overwrite old one.

Double click it and let it run.
Follow instructions given.

Do not click inside combofix window or app will freeze.

Post the new ComboFix.txt along with a new Hijackthis log.

Then stick around cus I will have further instructions.

Thanks
 
combo

ComboFix 08-08-30.03 - kkooo 2008-08-29 21:45:07.5 - FAT32x86
Running from: C:\Documents and Settings\kkooo\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\kkooo\Application Data\macromedia\Flash Player\#SharedObjects\JDU9UDDQ\static.youku.com
C:\Documents and Settings\kkooo\Application Data\macromedia\Flash Player\#SharedObjects\JDU9UDDQ\static.youku.com\v1.0.0318\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\kkooo\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\kkooo\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\kkooo\Cookies\kkooo@aniscartujo[2].txt
C:\Documents and Settings\kkooo\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\kkooo\Start Menu\Programs\Startup\DW_Start.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BM670e68bf.txt
C:\WINDOWS\faceback.exe
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\acxkhylp.exe
C:\WINDOWS\system32\blphcrpdj0er4j.scr
C:\WINDOWS\system32\dwwnw64r.exe
C:\WINDOWS\system32\hbxcra.dll
C:\WINDOWS\system32\liurgvwc.dll
C:\WINDOWS\system32\lphcrpdj0er4j.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjbnsxkj.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\onkjkpqu.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\phcrpdj0er4j.bmp
C:\WINDOWS\system32\qoMfedCu.dll
C:\WINDOWS\system32\rnypfpxd.dll
C:\WINDOWS\system32\rqRHyxyY.dll
C:\WINDOWS\system32\swmwrt.dll
C:\WINDOWS\system32\tsYaHRqr.ini
C:\WINDOWS\system32\tsYaHRqr.ini2
C:\WINDOWS\system32\uqpkjkno.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\yjrcjmer.dll
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-29 09:56 . 2008-08-29 09:56 <DIR> d-------- C:\WINDOWS\system32\unknown
2008-08-29 06:21 . 2008-08-29 06:21 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-29 02:05 . 2008-08-29 02:05 <DIR> d--hs---- C:\WINDOWS\U2FudGE
2008-08-29 02:05 . 2008-08-29 02:05 548,928 --a------ C:\WINDOWS\system32\ncntqtdl.exe
2008-08-29 02:05 . 2008-08-29 02:05 153,444 --a------ C:\WINDOWS\system32\g59.exe
2008-08-29 02:04 . 2008-08-29 02:04 <DIR> d-------- C:\WINDOWS\system32\wTR02
2008-08-29 02:04 . 2008-08-29 02:04 <DIR> d-------- C:\WINDOWS\system32\towl
2008-08-29 02:04 . 2008-08-29 02:04 <DIR> d-------- C:\WINDOWS\system32\tec
2008-08-29 02:04 . 2008-08-29 02:04 <DIR> d-------- C:\WINDOWS\system32\dbl
2008-08-29 02:04 . 2008-08-29 02:04 <DIR> d-------- C:\WINDOWS\system32\bdir
2008-08-29 02:04 . 2008-08-29 02:04 <DIR> d-------- C:\Temp\dax41
2008-08-29 02:04 . 2008-08-29 02:04 <DIR> d-------- C:\Temp
2008-08-29 02:01 . 2008-08-29 02:01 <DIR> d--hs---- C:\FOUND.000
2008-08-28 21:49 . 2008-08-28 21:49 <DIR> d-------- C:\Documents and Settings\kkooo\Application Data\LimeWire
2008-08-28 12:47 . 2008-08-28 12:47 <DIR> d-------- C:\Program Files\AIM Search
2008-08-28 12:46 . 2008-08-28 12:46 <DIR> d-------- C:\Program Files\Viewpoint
2008-08-28 05:09 . 2008-08-28 05:09 51,436 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-08-28 03:32 . 2008-08-28 03:32 <DIR> d-------- C:\Program Files\Safari
2008-08-28 03:23 . 2008-08-28 03:24 <DIR> d-------- C:\Program Files\QuickTime
2008-08-28 03:20 . 2008-08-28 03:20 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-27 08:26 . 2008-08-28 08:27 758 ---hs---- C:\WINDOWS\system32\wdpdjaaj.ini
2008-08-27 08:26 . 2008-08-27 08:26 0 --a------ C:\WINDOWS\BM670e68bf.xml
2008-08-27 05:58 . 2008-08-27 05:58 <DIR> d-------- C:\Documents and Settings\kkooo\Application Data\imo.im
2008-08-27 05:28 . 2008-08-27 05:28 <DIR> d-------- C:\Documents and Settings\kkooo\DoctorWeb
2008-08-27 00:07 . 2008-08-27 00:07 <DIR> d-------- C:\Documents and Settings\kkooo\Application Data\Thinstall
2008-08-26 12:29 . 2008-08-26 12:29 <DIR> d-------- C:\Program Files\AOL Search
2008-08-26 12:28 . 2008-08-26 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-26 06:35 . 2008-08-26 06:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-08-26 01:52 . 2004-05-13 17:32 276,480 --a------ C:\WINDOWS\system32\slbcsp.dll
2008-08-26 01:52 . 2004-05-13 17:27 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2008-08-26 01:52 . 2004-05-13 17:27 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2008-08-26 01:52 . 2004-05-13 17:33 89,600 --a------ C:\WINDOWS\system32\slbiop.dll
2008-08-26 01:52 . 2004-05-13 17:33 14,848 --a------ C:\WINDOWS\system32\slbrccsp.dll
2008-08-25 20:33 . 2008-08-25 20:33 <DIR> d-------- C:\Documents and Settings\kkooo\Application Data\Apple Computer
2008-08-25 20:32 . 2008-08-25 20:32 <DIR> d-------- C:\Documents and Settings\kkooo
2008-08-25 05:26 . 2008-08-25 05:26 <DIR> d-------- C:\Program Files\Bonjour
2008-08-25 05:21 . 2008-08-25 05:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-17 17:46 . 2008-08-26 01:15 250 --a------ C:\WINDOWS\gmer.ini
2008-07-15 13:42 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-14 22:38 . 2008-07-14 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-14 22:31 . 2008-07-14 22:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-13 21:07 . 2008-07-13 21:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-13 21:07 . 2008-07-13 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-13 17:47 . 2008-07-13 17:47 <DIR> d-------- C:\Program Files\Opera
2008-07-13 17:44 . 2008-07-13 17:44 262,144 --a------ C:\Documents and Settings\KEATON~3
2008-07-13 17:44 . 2008-07-13 17:44 262,144 --a------ C:\Documents and Settings\KEATON~1
2008-07-13 12:34 . 2008-07-13 12:34 262,144 --a------ C:\Documents and Settings\KEF90A~3.KEA
2008-07-13 12:34 . 2008-07-13 12:34 262,144 --a------ C:\Documents and Settings\keaton1
2008-07-13 10:35 . 2008-07-13 10:35 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-13 01:52 . 2008-07-13 01:52 <DIR> d-------- C:\Documents and Settings\Default User
2008-07-11 23:31 . 2008-07-11 23:31 262,144 --a------ C:\Documents and Settings\KEF90A~2.KEA
2008-07-11 23:30 . 2008-07-11 23:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-11 18:47 . 2008-07-15 17:30 4,298 ---hs---- C:\WINDOWS\system32\uvphrjcr.ini
2008-07-11 17:39 . 2008-07-11 17:39 262,144 --a------ C:\Documents and Settings\KEF90A~1.KEA
2008-07-11 17:39 . 2008-07-11 17:39 262,144 --a------ C:\Documents and Settings\AD59A3~1
2008-07-11 17:22 . 2008-07-11 17:34 262,144 --a------ C:\Documents and Settings\KEATON~4.KEA
2008-07-11 17:22 . 2008-07-11 17:34 262,144 --a------ C:\Documents and Settings\ADMINI~4
2008-07-11 17:04 . 2008-07-11 17:04 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-11 17:04 . 2008-07-11 17:04 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-11 17:04 . 2008-07-11 17:04 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-11 17:04 . 2008-07-11 17:04 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-11 16:56 . 2008-07-11 17:06 8,192 --a------ C:\Documents and Settings\KEATON~3.KEA
2008-07-11 16:56 . 2008-07-11 17:06 8,192 --a------ C:\Documents and Settings\ADMINI~3
2008-07-11 14:29 . 2008-07-11 14:29 262,144 --a------ C:\Documents and Settings\KEATON~2.KEA
2008-07-11 14:29 . 2008-07-11 14:29 262,144 --a------ C:\Documents and Settings\ADMINI~2
2008-07-11 11:44 . 2008-07-11 12:19 262,144 --a------ C:\Documents and Settings\ADMINI~1
2008-07-11 11:44 . 2008-07-11 17:06 8,192 --a------ C:\Documents and Settings\T_REX
2008-07-11 11:44 . 2008-07-11 17:06 8,192 --a------ C:\Documents and Settings\BLAHBLAH
2008-07-11 11:44 . 2008-07-11 17:06 8,192 --a------ C:\Documents and Settings\blah13
2008-07-11 11:43 . 2008-07-11 12:19 262,144 --a------ C:\Documents and Settings\KEATON~1.KEA
2008-07-11 11:43 . 2008-07-11 17:06 8,192 --a------ C:\Documents and Settings\KEATON20
2008-07-11 11:43 . 2008-07-11 17:06 8,192 --a------ C:\Documents and Settings\keaton
2008-07-11 11:43 . 2008-07-11 17:06 8,192 --a------ C:\Documents and Settings\every1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 18:09 2,036,227 ----a-w C:\Program Files\zia01476
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 16:24 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-06-06 16:24 307,200 ------w C:\WINDOWS\Setup1.exe
2008-05-15 19:58 403,794 ----a-w C:\WINDOWS\469.exe
2008-05-14 05:45 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-04-23 22:21 269,824 ----a-w C:\WINDOWS\inf\WG111v3\Vista64\wg111v3.sys
2007-04-23 22:11 224,896 ----a-w C:\WINDOWS\inf\WG111v3\wg111v3.sys
2006-12-15 19:30 98,304 ----a-w C:\WINDOWS\inf\WG111v3\UScanM.exe
2006-12-15 19:30 66,048 ----a-w C:\WINDOWS\inf\WG111v3\EAPPkt.sys
2006-12-15 19:30 315,392 ----a-w C:\WINDOWS\inf\WG111v3\InstallDriver.exe
2006-12-15 19:30 28,672 ----a-w C:\WINDOWS\inf\WG111v3\SetDrv.exe
2006-12-15 19:30 212,992 ----a-w C:\WINDOWS\inf\WG111v3\CopyWHQLDriver.exe
2006-12-15 19:30 20,480 ----a-w C:\WINDOWS\inf\WG111v3\RTWUPath.exe
2006-12-15 19:30 19,968 ----a-w C:\WINDOWS\inf\WG111v3\RTWREFU.EXE
2005-08-03 00:46 187,904 --sha-r C:\WINDOWS\U2FudGE\asappsrv.dll
2005-08-03 00:58 293,888 --sha-r C:\WINDOWS\U2FudGE\command.exe
2005-07-30 00:24 472 --sha-r C:\WINDOWS\U2FudGE\oZIRx3H.vbs
.

------- Sigcheck -------

2002-12-31 12:00 17408 41fbc74ad30ec94ccb5e381adff97801 C:\WINDOWS\system32\svchost.exe

2002-12-31 12:00 506368 57fe5ee5e09a64592c68aa4b0e006db9 C:\WINDOWS\system32\winlogon.exe

2007-06-12 23:23 1035776 3fbd51a7602a6b620be096b72e7a7a27 C:\WINDOWS\explorer.exe
2007-06-12 23:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\VCP_TEMP\explorer.exe
2007-06-12 23:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\VCP_SAVE\explorer.exe
2007-06-13 00:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-12 23:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2007-06-13 00:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe
2002-12-31 12:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

2002-12-31 12:00 110592 207939da390a3cef38fdf89cf5f42277 C:\WINDOWS\system32\services.exe

2002-12-31 12:00 14848 d2d425dcd5a37199666e21b826f52fee C:\WINDOWS\system32\lsass.exe

2005-06-10 16:53 58880 d519475810eb24a5cbb31bcc45e19622 C:\WINDOWS\system32\spoolsv.exe
2005-06-10 17:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2002-12-31 13:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 08:59 124520]
"AIMWDInstallFilename"="C:\Program Files\AIM\AIMWDInstall.exe" [2004-01-12 09:29 102400]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= jl_mjpg2.drv
"msacm.fraunhoferacm"= l3codecp.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Spybot - Search & Destroy\\SDShred.exe"=
"C:\\Program Files\\NETGEAR\\WG111v3\\WG111v3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1214617059\\ee\\aolsoftware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Web Server

R2 avg8emc;AVG Free8 E-mail Scanner;C:\WINDOWS\system32\DRIVERS\avg8emc.syS []
R2 avg8wd;AVG Free8 WatchDog;C:\WINDOWS\system32\DRIVERS\avg8wd.syS []
R3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 09:05]
R3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\DRIVERS\JL2005.syS []
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []
R3 USRTI;U.S. Robotics Faxmodem Driver TI;C:\WINDOWS\system32\DRIVERS\USRTI.SYS [2004-12-24 11:16]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-07-11 17:04]
S2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-11 17:04]
S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 13:38]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2004-12-24 11:15]
S3 es1969;ESS 1969 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es1969.sys [2004-12-24 11:15]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2004-12-24 11:15]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\WINDOWS\system32\DRIVERS\wg111v3.sys [2007-04-23 14:11]
S3 S3SAVAGE4M;S3SAVAGE4M;C:\WINDOWS\system32\DRIVERS\s3sav4m.sys [2004-12-24 11:16]

.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{76FE34BE-BD5D-4A35-B131-1F588F2D65FE} - C:\WINDOWS\system32\rqRHaYst.dll
HKLM-Run-643d5b23 - C:\WINDOWS\system32\onkjkpqu.dll
HKLM-Run-lphcrpdj0er4j - C:\WINDOWS\system32\lphcrpdj0er4j.exe
HKLM-Run-{D5-5B-B8-8C-DW} - C:\windows\system32\dwwnw64r.exe
Notify-ddcDvvUL - ddcDvvUL.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\kkooo\Application Data\Mozilla\Firefox\Profiles\gzajy2e7.default\
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npqtplugin8.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npjava11.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npjava12.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npjava13.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npjava14.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npjava32.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npjpi160_03.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npoji610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 21:53:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\MSDTC.EXE
C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\WINDOWS\SYSTEM32\MQSVC.EXE
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-29 21:57:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-30 05:57:02

Pre-Run: 5,701,074,944 bytes free
Post-Run: 5,743,083,520 bytes free

266 --- E O F --- 2008-06-27 21:26:32
 
hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:01, on 2008-08-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AIM\AIMWDInstall.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\Program Files\AIM\AIMWDInstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - (no file)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4311 bytes
 
Hi,

I really hate to have to say this but it does not look like we are making any progress.
Due to the nature of current infections ranging from bots, file patchers (yes some of your system files appear to be patched), password stealers, name changers and a seemingly endless incomming source of malware I truly think at this point in time it would be safest to back up your data you want to keep & format the machine & start out fresh.
At least this way you have a better chance of a clean install and knowing that the system will be safe to use.
We could go on for weeks and all the while your personal info is being plastered all over the "underground" for sale and we'll never know if we got it all removed.
I really think format is the only option at this point.

I can post some help links to safely do your re-install & some safety advise to help you stay clean if you like.

Regards,

Blender
 
When you format --- everything gets deleted.
Everything.
Good stuff, Windows, Viruses, all of it.

That is why I tell you to back up your important stuff before you do anything.
Burn it to CD or whatever but you will need to back it up someplace OTHER THAN the drive you have windows installed on.
And before you put your backups back on system or use them --- you will need to scan it with antivirus to make sure you didn't back up infections.

You will need your XP install CD, Your drivers CD, and your software CD that came with the computer.
If you installed other hardware after buying the PC then you will need the Driver/software CD for it too.

If no CDs... then you will need to use the recovery partition on your computer to restore it back to factory settings.
Usually F11 at bootup to access the recovery partition.
 
Please download this tool from Microsoft.
http://go.microsoft.com/fwlink/?linkid=52012

Double click on MGADiag.exe to run it.

Click Continue.

The program will run. It takes a while to finish the diagnosis, please be patient.

Once done, click on Copy.

Open Notepad and paste the contents in. Save this file and post it in your next reply, along with a new HijackThis log
 
That tool doesn't format the computer lol.
It is just to check the genuine status of it.

What do you mean you can't get online if you format?
Don't you have the driver for your wireless on a cd or something?
If you don't --- download the wireless driver/software & burn it to CD or something.
 
Status
Not open for further replies.
Back
Top