|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#1
|
||||
|
||||
Vundo and IRCBOT -- Appreciate any help.
Well I've gone through and scanned my computer with about 3 different virsuses scanners that cannot remove these. I tried Vundofix and rebooted and still, my Spybot keeps popping up saying somethings trying to make browser changes and etc. I can't seem to find anything for the IRCBOT though. I downloaded HijackThis and DSS, but everytime I run DSS it comes up with an error and cannot complete the scan. The backdoor.IRCBOT.APG I guess is the MSN virus >.< the other, possibly let in from that? No idea where i got it. But it's bogging my computer down (not terribly just yet). And when I play World of Warcraft, usually just in raids. My mouse and keyboard will stop working, it'll bring up my chat log as if I were trying to type something in raid, CTRL + V to turn HP bars on, then window me out. Veeeeery annoying. I'd like to try and fix this because currently my windows disks are a couple states away :/ Thank you in advance for any help! Oh and by the way the programs I have ran would be Spybot S&D, Vundofix, Clamwin, TrendMicro(Online Scan).
|
#2
|
||||
|
||||
Ok well I just ran Combofix, and this is the log it left...
ComboFix 08-04-04.1 - Steph 2008-04-06 15:01:38.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.578 [GMT -5:00] Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BM83c69c14.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\byXQgGwX.dll C:\WINDOWS\system32\dNXHOXyb.ini2 C:\WINDOWS\system32\hfgyqmgj.dll C:\WINDOWS\system32\jgmqygfh.ini C:\WINDOWS\system32\kmUwwyay.ini C:\WINDOWS\system32\kmUwwyay.ini2 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\opbtjhej.dll C:\WINDOWS\system32\pijdanqh.dll C:\WINDOWS\system32\rqRjHBrQ.dll C:\WINDOWS\system32\sisjmcbe.dll C:\WINDOWS\system32\yaywwUmk.dll . ((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 ))))))))))))))))))))))))))))))) . 2008-04-06 14:59 . 2008-04-06 14:59 <DIR> dr-h----- C:\Documents and Settings\Steph\Application Data\yahoo! 2008-04-06 13:51 . 2008-04-06 13:51 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-06 13:02 . 2008-04-06 13:29 <DIR> d-------- C:\VundoFix Backups 2008-04-06 03:01 . 2008-04-06 14:51 <DIR> d-------- C:\Program Files\MSN Messenger 2008-04-06 02:58 . 2008-04-06 14:51 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\HouseCall 6.6 2008-04-06 02:56 . 2008-04-06 02:56 <DIR> d-------- C:\Program Files\Java 2008-04-06 02:55 . 2008-04-06 02:55 <DIR> d-------- C:\Program Files\Common Files\Java 2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-02 02:16 . 2008-04-06 13:30 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\.clamwin 2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\ClamWin 2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin 2008-04-01 20:42 . 2008-04-01 20:42 268,288 --a------ C:\WINDOWS\system32\yaywwUmk.dll_old 2008-04-01 20:34 . 2008-04-01 20:34 38,912 -r-hs---- C:\WINDOWS\msn.com 2008-03-27 20:18 . 2008-04-06 14:58 <DIR> d-------- C:\Program Files\Yahoo! 2008-03-27 20:18 . 2008-04-06 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-03-25 10:26 . 2008-03-25 10:26 <DIR> d-------- C:\Logs 2008-03-19 00:16 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys 2008-03-07 20:24 . 1998-02-13 15:30 143,872 --a------ C:\WINDOWS\system32\iacenc.dll 2008-03-07 20:24 . 1997-06-13 09:56 56,832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll 2008-03-07 20:24 . 1997-11-06 13:53 27,648 --a------ C:\WINDOWS\system32\ir50_lcs.dll 2008-03-07 20:24 . 2008-03-07 20:24 5,952 --a------ C:\WINDOWS\system32\CDUninst.isu 2008-03-07 20:23 . 2008-03-07 20:23 <DIR> d-------- C:\Program Files\Common Files\Intel Shared 2008-03-07 20:22 . 2008-03-07 20:24 <DIR> d-------- C:\Galleries 2008-03-07 20:21 . 2008-03-07 20:21 <DIR> d-------- C:\Program Files\Web Publish 2008-03-07 20:21 . 2008-03-07 20:21 <DIR> d-------- C:\Program Files\Intel 2008-03-07 20:21 . 1998-09-02 03:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll 2008-03-07 20:21 . 1998-08-26 23:51 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll 2008-03-07 20:21 . 1998-08-20 06:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax 2008-03-07 20:21 . 1998-09-02 03:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe 2008-03-07 20:21 . 1998-09-02 03:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll 2008-03-07 20:21 . 1998-08-17 04:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv 2008-03-07 20:21 . 1998-08-17 04:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll 2008-03-07 20:21 . 1998-08-17 04:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd 2008-03-07 20:21 . 2008-03-07 20:21 3,216 --a------ C:\WINDOWS\SMUninst.ins 2008-03-07 20:20 . 2008-03-07 20:20 <DIR> d-------- C:\Documents and Settings\Steph\WINDOWS 2008-03-07 20:20 . 1998-07-30 13:51 305,152 --a------ C:\WINDOWS\IsUninst.exe 2008-03-07 15:35 . 2008-03-07 15:35 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-03-07 10:26 . 2008-03-07 10:26 <DIR> d-------- C:\Program Files\MSXML 4.0 2008-03-06 20:04 . 2008-03-06 20:04 <DIR> d-------- C:\temp\cs430_XP 2008-03-06 20:04 . 2008-03-06 20:04 <DIR> d-------- C:\temp 2008-03-06 19:53 . 2008-03-28 18:08 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\Corel 2008-03-06 19:53 . 2008-03-06 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel 2008-03-06 19:53 . 2008-03-28 18:08 1,682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2008-03-06 19:52 . 2008-03-06 19:53 <DIR> d-------- C:\Program Files\Corel 2008-03-06 19:52 . 2008-03-06 19:52 <DIR> d-------- C:\Program Files\Common Files\Corel . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-04-06 18:30 --------- d-----w C:\Documents and Settings\Steph\Application Data\.clamwin 2008-04-06 07:55 --------- d-----w C:\Program Files\Windows Live 2008-04-01 17:32 --------- d-----w C:\Program Files\World of Warcraft 2008-03-05 19:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-05 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-02 04:34 --------- d-----w C:\Program Files\Teamspeak2_RC2 2008-03-02 04:34 --------- d-----w C:\Documents and Settings\Steph\Application Data\teamspeak2 2008-02-29 19:59 --------- d-----w C:\Documents and Settings\Steph\Application Data\Creative 2008-02-29 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-25 07:08 --------- d-----w C:\Program Files\Creative 2008-02-25 07:07 --------- d-----w C:\Program Files\Audible 2008-02-25 07:05 --------- d--h--w C:\Program Files\Creative Installation Information 2008-02-25 07:04 --------- d-----w C:\Program Files\Common Files\Creative 2008-02-25 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative 2008-02-24 00:36 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-02-16 00:42 --------- d-----w C:\Program Files\Starcraft 2008-02-16 00:23 94,208 ----a-w C:\WINDOWS\ScUnin.exe 2008-02-14 07:22 --------- d-----w C:\Documents and Settings\Steph\Application Data\Ventrilo . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 11:06 700416] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 12:00 462336] "Windows live Messenger"="msn.com" [2008-04-01 20:34 38912 C:\WINDOWS\msn.com] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQgGwX] byXQgGwX.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "MSVideo8"= VfWWDM32.dll "msacm.lhacm"= lhacm.acm "vidc.I263"= I263_32.drv "MSACM.G723"= g723.acm [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . ************************************************** ************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 1980-04-06 15:04:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************** ************************ . Completion time: 2008-04-06 15:06:45 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-06 20:06:42 Pre-Run: 118,186,205,184 bytes free Post-Run: 118,278,225,920 bytes free . 2008-03-11 21:09:33 --- E O F --- |
#3
|
||||
|
||||
And here's a HijackThis Log also... (after running Combofix) The MSN.com thing is still there >.<
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:14:14 PM, on 4/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\msn.com C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Steph\Desktop\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe O4 - HKLM\..\Run: [Windows live Messenger] msn.com O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: byXQgGwX - byXQgGwX.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe -- End of file - 3351 bytes |
#4
|
||||
|
||||
Hi Kainiaa. Close Internet Explorer and any open windows and run Hijack This again. Check the below entries and click on Fix Checked.
O4 - HKLM\..\Run: [Windows live Messenger] msn.com O20 - Winlogon Notify: byXQgGwX - byXQgGwX.dll (file missing) Open notepad and copy and paste the text in the codebox below into it: Code:
File:: C:\WINDOWS\msn.com C:\WINDOWS\system32\yaywwUmk.dll_old DirLook:: C:\Documents and Settings\Steph\WINDOWS ![]() ComboFix will run again. When the fix completes it will create a C:\ComboFix.txt log. Please post that log in your next reply. Also post a new Hijack This log. |
#5
|
||||
|
||||
Here's before I did the Hijack "fix checked"
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:20:55 AM, on 4/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Steph\Desktop\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: byXQgGwX - byXQgGwX.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe -- End of file - 4056 bytes |
#6
|
||||
|
||||
And here's after... although I tried doing the Combofix thing... it brought up the loading bar, loaded, a blue window blinked on screen, but it left no .txt
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:24:30 AM, on 4/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Steph\Desktop\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe -- End of file - 3944 bytes |
#7
|
||||
|
||||
I also ran Kaspersky Online scan and... not too happy with what it found >.< But here's the log for that...
------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, April 08, 2008 3:20:19 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 8/04/2008 Kaspersky Anti-Virus database records: 689148 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 54519 Number of viruses found: 12 Number of infected objects: 76 Number of suspicious objects: 0 Duration of the scan process: 03:36:50 Infected Object Name / Virus Name / Last Action C:\ddc78b431874b1366d7e349a663a\$shtdwn$.req Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Steph\Application Data\HouseCall 6.6\Backup\yaywwUmk.dll_old.bac_a07784 Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped C:\Documents and Settings\Steph\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$ Object is locked skipped C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\cer t8.db Object is locked skipped C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\for mhistory.dat Object is locked skipped C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\his tory.dat Object is locked skipped C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\key 3.db Object is locked skipped C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\par ent.lock Object is locked skipped C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\sea rch.sqlite Object is locked skipped C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\url classifier2.sqlite Object is locked skipped C:\Documents and Settings\Steph\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\Cac he\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\Cac he\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\Cac he\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\Cac he\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Steph\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Temp\hsperfdata_Steph\3692 Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Temp\TMP000000014CF7C38B962B5F08 Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Temp\~DF8D92.tmp Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Steph\ntuser.dat Object is locked skipped C:\Documents and Settings\Steph\NTUSER.DAT.LOG Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\system32\hfgyqmgj.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped C:\QooBox\Quarantine\C\WINDOWS\system32\opbtjhej.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped C:\QooBox\Quarantine\C\WINDOWS\system32\pijdanqh.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped C:\QooBox\Quarantine\C\WINDOWS\system32\rqRjHBrQ.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\QooBox\Quarantine\C\WINDOWS\system32\sisjmcbe.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped C:\QooBox\Quarantine\catchme2008-04-06_150447.34.zip/Documents and Settings/Steph/Desktop/catchme.zip/byXQgGwX.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\QooBox\Quarantine\catchme2008-04-06_150447.34.zip/Documents and Settings/Steph/Desktop/catchme.zip/yaywwUmk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped C:\QooBox\Quarantine\catchme2008-04-06_150447.34.zip/Documents and Settings/Steph/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped C:\QooBox\Quarantine\catchme2008-04-06_150447.34.zip ZIP: infected - 3 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP162\A0011214.com Infected: Backdoor.Win32.IRCBot.cgj skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP163\A0011226.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011362.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011363.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011365.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011366.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011367.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011369.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011370.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011373.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011374.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011375.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011376.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011497.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011498.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011501.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011502.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxi skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011745.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011746.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011754.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011755.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011756.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011757.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011758.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011759.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011760.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011761.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011767.dll Infected: Packed.Win32.Monder.gen skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011768.dll Infected: Packed.Win32.Monder.gen skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011770.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011771.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011772.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011773.dll Infected: Packed.Win32.Monder.gen skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011774.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011776.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011777.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011778.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011779.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011780.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011853.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011908.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011909.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011910.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011911.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011912.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP176\change.log Object is locked skipped C:\VundoFix Backups\cbXPiHwX.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\VundoFix Backups\ddcYPGya.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\VundoFix Backups\efcAQJCv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\efcYsTLF.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\hgGyabXP.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\iiffDWMG.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\khfCtuVp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\nnnmkJde.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\nnnoOiIy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\opnkkiGy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\VundoFix Backups\pmnnmlKe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\rqRLdAqO.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\rqRLeDus.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped C:\VundoFix Backups\rqRLfgee.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\VundoFix Backups\ssqRhefC.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped C:\WINDOWS\Debug\mrt.log Object is locked skipped C:\WINDOWS\Debug\mrteng.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\msn.com Infected: Backdoor.Win32.IRCBot.cgj skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32\yaywwUmk.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. |
#8
|
||||
|
||||
There is a bug in the version of ComboFix that you are using Kainiaa. Please uninstall it. To do this, go to Start > Run and type:
ComboFix /u and click ok. Now download a fresh copy from the link I posted and and run it as per my earlier instructions and post the log. |
#9
|
||||
|
||||
The comboFix needs to be split up into 2 posts (sry)
ComboFix 08-04-08.5 - Steph 2008-04-08 16:27:18.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.614 [GMT -5:00] Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Steph\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . TimedOut: Windir.dat ((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 ))))))))))))))))))))))))))))))) . 2008-04-07 23:32 . 2008-04-07 23:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-04-07 23:32 . 2008-04-07 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-04-07 23:31 . 2008-04-07 23:31 <DIR> d-------- C:\WINDOWS\LastGood 2008-04-07 23:22 . 2008-04-07 23:22 <DIR> d-------- C:\WINDOWS\Sun 2008-04-07 23:22 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-04-07 23:21 . 2008-04-07 23:22 <DIR> d-------- C:\Program Files\Java 2008-04-07 13:18 . 2008-04-07 13:18 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2008-04-07 13:18 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll 2008-04-07 13:18 . 2008-04-07 13:18 376 --a------ C:\WINDOWS\ODBC.INI 2008-04-07 13:17 . 2008-04-07 13:18 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-04-07 13:17 . 2008-04-07 13:17 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-04-07 13:15 . 2008-04-07 13:15 <DIR> dr-h----- C:\MSOCache 2008-04-06 14:59 . 2008-04-06 14:59 <DIR> dr-h----- C:\Documents and Settings\Steph\Application Data\yahoo! 2008-04-06 13:51 . 2008-04-06 13:51 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-06 13:02 . 2008-04-06 13:29 <DIR> d-------- C:\VundoFix Backups 2008-04-06 03:01 . 2008-04-06 14:51 <DIR> d-------- C:\Program Files\MSN Messenger 2008-04-06 02:58 . 2008-04-06 14:51 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\HouseCall 6.6 2008-04-06 02:55 . 2008-04-06 02:55 <DIR> d-------- C:\Program Files\Common Files\Java 2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-02 02:16 . 2008-04-06 13:30 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\.clamwin 2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\ClamWin 2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin 2008-04-01 20:42 . 2008-04-01 20:42 268,288 --a------ C:\WINDOWS\system32\yaywwUmk.dll_old 2008-04-01 20:34 . 2008-04-01 20:34 38,912 -r-hs---- C:\WINDOWS\msn.com 2008-03-27 20:18 . 2008-04-06 14:58 <DIR> d-------- C:\Program Files\Yahoo! 2008-03-27 20:18 . 2008-04-06 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-03-25 10:26 . 2008-03-25 10:26 <DIR> d-------- C:\Logs 2008-03-19 00:16 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-04-06 18:30 --------- d-----w C:\Documents and Settings\Steph\Application Data\.clamwin 2008-04-06 07:55 --------- d-----w C:\Program Files\Windows Live 2008-04-01 17:32 --------- d-----w C:\Program Files\World of Warcraft 2008-03-28 23:08 --------- d-----w C:\Documents and Settings\Steph\Application Data\Corel 2008-03-08 01:23 --------- d-----w C:\Program Files\Common Files\Intel Shared 2008-03-08 01:21 --------- d-----w C:\Program Files\Web Publish 2008-03-08 01:21 --------- d-----w C:\Program Files\Intel 2008-03-07 15:26 --------- d-----w C:\Program Files\MSXML 4.0 2008-03-07 00:53 --------- d-----w C:\Program Files\Corel 2008-03-07 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel 2008-03-07 00:52 --------- d-----w C:\Program Files\Common Files\Corel 2008-03-05 19:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-05 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-02 04:34 --------- d-----w C:\Program Files\Teamspeak2_RC2 2008-03-02 04:34 --------- d-----w C:\Documents and Settings\Steph\Application Data\teamspeak2 2008-02-29 19:59 --------- d-----w C:\Documents and Settings\Steph\Application Data\Creative 2008-02-29 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-25 07:08 --------- d-----w C:\Program Files\Creative 2008-02-25 07:07 --------- d-----w C:\Program Files\Audible 2008-02-25 07:05 --------- d--h--w C:\Program Files\Creative Installation Information 2008-02-25 07:04 --------- d-----w C:\Program Files\Common Files\Creative 2008-02-25 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative 2008-02-24 00:36 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-02-16 00:42 --------- d-----w C:\Program Files\Starcraft 2008-02-16 00:23 94,208 ----a-w C:\WINDOWS\ScUnin.exe 2008-02-14 07:22 --------- d-----w C:\Documents and Settings\Steph\Application Data\Ventrilo . (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))) ))))))) . ---- Directory of C:\Documents and Settings\Steph\WINDOWS ---- ((((((((((((((((((((((((((((( snapshot@2008-04-06_15.06.33.26 ))))))))))))))))))))))))))))))))))))))))) . + 2008-04-07 18:18:02 110,592 ----a-w C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f 11d50a3a\adodb.dll + 2008-04-07 18:24:26 66,936 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0 .0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll + 2008-04-07 18:18:02 229,376 ----a-w C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf 3856ad364e35\MSCOMCTL.DLL + 2008-04-07 18:18:02 4,096 ----a-w C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f 5f7f11d50a3a\msdatasrc.dll + 2008-04-07 18:24:20 226,656 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce11 1e9429c\OFFICE.DLL + 2008-04-07 18:18:02 16,384 ----a-w C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7 f11d50a3a\stdole.dll + 2003-07-15 03:43:20 87,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\ADDRPARS.DLL + 2003-07-15 03:57:34 38,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL + 2003-07-15 03:53:06 94,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\AW.DLL + 2003-07-15 08:14:28 350,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\CDLMSO.DLL + 2003-07-15 08:18:12 47,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\DFUICOM.EXE + 2003-07-25 23:57:20 75,832 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\DLGSETP.DLL + 2003-07-15 03:56:54 14,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\DSITF.DLL + 2003-07-15 03:57:14 98,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\DSSM.EXE + 2003-07-31 20:19:52 131,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\ENVELOPE.DLL + 2003-08-13 07:34:38 10,073,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\EXCEL.EXE + 2003-07-15 03:41:44 13,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FINDER.EXE + 2003-08-03 15:56:16 1,146,184 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FM20.DLL + 2003-07-24 04:01:40 1,949,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPCUTL.DLL + 2003-07-15 04:36:14 186,424 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPDTC.DLL + 2003-07-15 03:40:12 179,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPERSON.DLL + 2003-07-15 03:40:12 165,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPLACE.DLL + 2003-07-26 00:00:16 1,157,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPSRVUTL.DLL + 2003-07-26 00:14:50 799,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPWEC.DLL + 2003-07-15 04:11:42 2,139,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\GRAPH.EXE + 2003-07-15 03:57:44 87,096 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\IEAWSDC.DLL + 2003-07-15 03:53:50 161,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\IETAG.DLL + 2003-07-24 03:32:32 121,400 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\IMPMAIL.DLL + 2003-06-18 22:31:44 758,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIGRAPH.DLL + 2003-06-18 22:31:10 252,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIINK.DLL + 2003-06-18 22:31:48 17,920 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIMON.DLL + 2003-06-18 22:31:48 18,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIPPR.DLL + 2003-06-18 22:31:46 35,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIUI.DLL + 2003-06-18 22:31:34 443,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIVWCTL.DLL + 2003-07-15 03:46:08 176,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MIMEDIR.DLL + 2003-07-15 03:58:04 230,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSCDM.DLL + 2003-07-15 03:51:50 116,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSCONV97.DLL + 2002-12-18 00:08:50 359,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSDMENG.DLL + 2002-12-18 00:08:54 1,383,592 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSDMINE.DLL + 2003-07-15 03:51:44 87,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL + 2002-04-10 01:14:36 187,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSMDUN80.DLL + 2003-07-15 03:52:52 17,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSMH.DLL + 2003-08-08 05:23:16 12,172,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSO.DLL + 2003-07-15 03:57:16 120,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL + 2003-07-15 08:14:18 106,552 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOCF.DLL + 2003-07-24 03:35:26 127,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOCFU.DLL + 2003-07-15 03:52:52 27,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSODCW.DLL + 2003-07-15 03:44:06 25,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOEURO.DLL + 2003-07-15 03:52:56 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE + 2002-12-18 00:09:24 2,071,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOLAP80.DLL + 2003-07-11 07:15:48 1,292,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL + 2003-07-15 08:18:52 376,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSORUN.DLL + 2003-07-15 03:52:54 28,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL + 2003-07-15 03:52:52 35,896 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOSV.DLL + 2003-07-15 03:53:20 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOSVFBR.DLL + 2003-07-15 03:46:16 42,040 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL + 2003-07-15 03:45:12 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE + 2003-07-15 03:45:12 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL + 2003-06-18 22:31:24 1,033,216 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSPCORE.DLL + 2003-06-18 22:31:50 16,384 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL + 2003-06-19 21:05:50 364,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE + 2003-07-15 03:52:58 41,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSSH.DLL + 2003-07-15 04:02:14 627,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSTORDB.EXE + 2003-07-15 03:56:24 124,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSTORE.EXE + 2003-07-24 03:40:00 482,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSTORES.DLL + 2003-07-15 04:00:54 145,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL + 2003-07-15 03:57:10 56,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\NAME.DLL + 2003-07-15 03:56:52 13,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL + 2008-04-07 18:18:01 223,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OFFICE.DLL + 2003-07-15 08:14:26 283,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OIS.EXE + 2003-07-15 08:14:26 828,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OISAPP.DLL + 2003-07-15 08:14:26 27,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OISCTRL.DLL + 2003-07-15 08:14:26 242,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL + 2003-07-15 04:05:24 1,054,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OMFC.DLL + 2003-07-15 03:41:56 24,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLACCT.DLL + 2003-07-15 03:44:34 102,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLCTL.DLL + 2003-07-07 18:36:00 2,058,343 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT + 2003-07-08 16:48:00 115,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL + 2003-08-10 04:06:42 7,522,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLLIB.DLL + 2003-07-15 03:44:32 88,128 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLMIME.DLL + 2003-07-15 03:45:18 196,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLOOK.EXE + 2003-07-15 03:43:48 139,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLPH.DLL + 2003-07-15 03:43:18 64,056 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLRPC.DLL + 2003-07-15 03:43:16 49,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLWAB.DLL + 2003-08-01 20:09:04 8,086,072 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OWC11.DLL + 2003-07-30 17:40:40 6,133,312 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\POWERPNT.EXE + 2003-07-15 08:18:54 430,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\PP4X322.DLL + 2003-07-15 08:18:44 93,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\PP7X32.DLL + 2003-07-31 20:21:08 1,782,840 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\PPTVIEW.EXE + 2003-07-15 03:42:26 37,432 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\RECALL.DLL + 2003-05-09 02:54:00 77,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL + 2003-07-15 03:57:08 40,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL + 2003-07-15 03:43:30 74,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\RM.DLL + 2003-07-21 16:46:38 390,712 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\RTFHTML.DLL + 2003-07-15 03:44:16 66,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\SENDTO.DLL + 2003-07-15 03:57:08 58,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL + 2003-07-15 03:53:14 11,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\SMARTTAGINSTALL .EXE + 2003-08-03 15:52:32 2,808,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\STSLIST.DLL + 2003-07-15 04:00:22 99,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\TRANSMGR.DLL + 2003-07-03 20:19:36 2,502,656 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\VBE6.DLL + 2008-04-07 18:18:02 64,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL + 2003-08-06 18:24:20 12,037,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\WINWORD.EXE + 2007-03-23 00:07:56 91,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\ADDRPARS.DLL + 2007-03-23 00:07:54 80,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\DLGSETP.DLL + 2007-04-19 18:53:52 137,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\ENVELOPE.DLL + 2007-05-31 18:41:06 10,352,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\EXCEL.EXE |
#10
|
||||
|
||||
+ 2007-04-19 19:09:30 167,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\IETAG.DLL
+ 2007-04-19 18:53:52 127,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\IMPMAIL.DLL + 2007-04-19 18:54:04 183,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\MIMEDIR.DLL + 2007-06-18 22:16:32 12,259,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\MSO.DLL + 2007-05-31 18:43:46 7,613,280 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLLIB.DLL + 2007-04-19 18:53:44 106,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLMIME.DLL + 2007-05-31 18:42:14 200,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLOOK.EXE + 2007-04-19 18:53:56 149,856 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLPH.DLL + 2007-04-19 18:53:24 69,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLRPC.DLL + 2007-03-23 00:07:10 41,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\RECALL.DLL + 2007-03-23 00:07:54 78,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\RM.DLL + 2007-03-23 00:22:02 103,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\TRANSMGR.DLL + 2007-05-09 22:19:48 2,585,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\VBE6.DLL + 2007-05-31 18:37:40 12,310,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\WINWORD.EXE + 2008-04-08 19:48:06 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe + 2008-04-08 19:48:06 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe + 2008-04-08 19:48:06 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe + 2008-04-08 19:48:06 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe + 2008-04-08 19:48:06 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe + 2008-04-08 19:48:07 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe + 2008-04-08 19:48:06 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe + 2008-04-08 19:48:07 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe + 2008-04-08 19:48:06 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe + 2008-04-08 19:48:06 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe + 2007-06-06 15:53:34 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL + 2007-03-23 00:17:04 35,440 ----a-w C:\WINDOWS\system32\FM20ENU.DLL + 2002-08-21 10:10:16 204,800 ----a-w C:\WINDOWS\system32\INKED.DLL + 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe + 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe + 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll + 1998-06-18 00:08:32 53,248 ----a-w C:\WINDOWS\system32\MFC42ENU.DLL - 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe + 2008-03-05 13:30:56 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe + 2000-05-11 18:06:20 397,312 ----a-w C:\WINDOWS\system32\MSRDO20.DLL + 2000-05-24 03:45:58 118,784 ----a-w C:\WINDOWS\system32\MSSTDFMT.DLL + 1998-08-09 16:07:34 94,208 ----a-w C:\WINDOWS\system32\MSSTKPRP.DLL + 2000-04-03 22:52:54 151,552 ----a-w C:\WINDOWS\system32\RDOCURS.DLL + 1998-03-25 02:54:08 15,872 ----a-w C:\WINDOWS\system32\SCP32.DLL + 2007-04-09 18:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigrap h.dll + 2007-04-09 18:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.d ll + 2007-04-09 18:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph. dll + 2007-04-09 18:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll + 2007-04-09 18:23:54 28,552 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.d ll + 1999-11-24 23:40:50 40,960 ----a-w C:\WINDOWS\system32\VBAME.DLL + 2002-08-21 10:13:12 189,952 ----a-w C:\WINDOWS\system32\WISPTIS.EXE . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 11:06 700416] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 12:00 462336] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I263"= I263_32.drv "MSACM.G723"= g723.acm [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 *Newly Created Service* - OSE . |
#11
|
||||
|
||||
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31, on 2008-04-08 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Steph\Desktop\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe -- End of file - 3928 bytes |
#12
|
||||
|
||||
Did you create a script and run it? The files that I identified are still present and there is no indication that a script has run. See below:
Quote:
|
#13
|
||||
|
||||
Ok, I did do the script the first time, but I did it again so here's the 2nd attempt...
ComboFix 08-04-08.5 - Steph 2008-04-08 23:09:08.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.751 [GMT -5:00] Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Steph\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 ))))))))))))))))))))))))))))))) . 2008-04-07 23:32 . 2008-04-07 23:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-04-07 23:32 . 2008-04-07 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-04-07 23:31 . 2008-04-07 23:31 <DIR> d-------- C:\WINDOWS\LastGood 2008-04-07 23:22 . 2008-04-07 23:22 <DIR> d-------- C:\WINDOWS\Sun 2008-04-07 23:22 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-04-07 23:21 . 2008-04-07 23:22 <DIR> d-------- C:\Program Files\Java 2008-04-07 13:18 . 2008-04-07 13:18 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2008-04-07 13:18 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll 2008-04-07 13:18 . 2008-04-07 13:18 376 --a------ C:\WINDOWS\ODBC.INI 2008-04-07 13:17 . 2008-04-07 13:18 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-04-07 13:17 . 2008-04-07 13:17 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-04-07 13:15 . 2008-04-07 13:15 <DIR> dr-h----- C:\MSOCache 2008-04-06 14:59 . 2008-04-06 14:59 <DIR> dr-h----- C:\Documents and Settings\Steph\Application Data\yahoo! 2008-04-06 13:51 . 2008-04-06 13:51 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-06 13:02 . 2008-04-06 13:29 <DIR> d-------- C:\VundoFix Backups 2008-04-06 03:01 . 2008-04-06 14:51 <DIR> d-------- C:\Program Files\MSN Messenger 2008-04-06 02:58 . 2008-04-06 14:51 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\HouseCall 6.6 2008-04-06 02:55 . 2008-04-06 02:55 <DIR> d-------- C:\Program Files\Common Files\Java 2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-02 02:16 . 2008-04-06 13:30 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\.clamwin 2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\ClamWin 2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin 2008-04-01 20:42 . 2008-04-01 20:42 268,288 --a------ C:\WINDOWS\system32\yaywwUmk.dll_old 2008-04-01 20:34 . 2008-04-01 20:34 38,912 -r-hs---- C:\WINDOWS\msn.com 2008-03-27 20:18 . 2008-04-06 14:58 <DIR> d-------- C:\Program Files\Yahoo! 2008-03-27 20:18 . 2008-04-06 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-03-25 10:26 . 2008-03-25 10:26 <DIR> d-------- C:\Logs 2008-03-19 00:16 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-04-06 18:30 --------- d-----w C:\Documents and Settings\Steph\Application Data\.clamwin 2008-04-06 07:55 --------- d-----w C:\Program Files\Windows Live 2008-04-01 17:32 --------- d-----w C:\Program Files\World of Warcraft 2008-03-28 23:08 --------- d-----w C:\Documents and Settings\Steph\Application Data\Corel 2008-03-08 01:23 --------- d-----w C:\Program Files\Common Files\Intel Shared 2008-03-08 01:21 --------- d-----w C:\Program Files\Web Publish 2008-03-08 01:21 --------- d-----w C:\Program Files\Intel 2008-03-07 15:26 --------- d-----w C:\Program Files\MSXML 4.0 2008-03-07 00:53 --------- d-----w C:\Program Files\Corel 2008-03-07 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel 2008-03-07 00:52 --------- d-----w C:\Program Files\Common Files\Corel 2008-03-05 19:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-05 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-02 04:34 --------- d-----w C:\Program Files\Teamspeak2_RC2 2008-03-02 04:34 --------- d-----w C:\Documents and Settings\Steph\Application Data\teamspeak2 2008-02-29 19:59 --------- d-----w C:\Documents and Settings\Steph\Application Data\Creative 2008-02-29 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-25 07:08 --------- d-----w C:\Program Files\Creative 2008-02-25 07:07 --------- d-----w C:\Program Files\Audible 2008-02-25 07:05 --------- d--h--w C:\Program Files\Creative Installation Information 2008-02-25 07:04 --------- d-----w C:\Program Files\Common Files\Creative 2008-02-25 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative 2008-02-24 00:36 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-02-16 00:42 --------- d-----w C:\Program Files\Starcraft 2008-02-16 00:23 94,208 ----a-w C:\WINDOWS\ScUnin.exe 2008-02-14 07:22 --------- d-----w C:\Documents and Settings\Steph\Application Data\Ventrilo . (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))) ))))))) . ---- Directory of C:\Documents and Settings\Steph\WINDOWS ---- ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 11:06 700416] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 12:00 462336] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I263"= I263_32.drv "MSACM.G723"= g723.acm [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 *Newly Created Service* - OSE . ************************************************** ************************ catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-08 23:10:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2008-04-08 23:11:24 ComboFix-quarantined-files.txt 2008-04-09 04:11:10 Pre-Run: 116,958,945,280 bytes free Post-Run: 116,948,271,104 bytes free . 2008-04-08 19:48:08 --- E O F --- |
#14
|
||||
|
||||
And here's HijackThis
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:12:41 PM, on 4/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Steph\Desktop\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe -- End of file - 3899 bytes |
#15
|
||||
|
||||
The scripts dont appear to be running. We have had nothing but problems with this utility so we will try another.
Download The Avenger from here to your Desktop and unzip it. Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy" Code:
Files to delete: C:\WINDOWS\msn.com C:\WINDOWS\system32\yaywwUmk.dll_old Folders to delete: C:\Documents and Settings\Steph\WINDOWS Next, put a checkmark next to "Scan for Rootkits" but make sure that "Automatically Disable Any Rootkit Found" is unchecked for now. We may use this option later on if a malicious file is found. Click on the Execute button and click Yes when you are asked if you are sure you want to execute this script. Click Yes when you are asked if you want to reboot now. The Avenger will restart your computer (on some occasions, The Avenger may restart your computer twice) When you have rebooted, a logfile will open that has recorded all the actions that The Avenger performed (this log file is saved to C:\avenger.txt). The deleted files will be backed up and saved to C:\avenger\backup.zip. Once your computer has rebooted, please post back the contents of C:\avenger.txt and a new Hijack This log. |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Did I remove backdoor.ircbot or am I still infected? | OhLissy | Malware Removal | 21 | June 15th, 2010 11:16 PM |
Vundo | Syke | Malware Removal | 17 | May 19th, 2009 02:10 AM |
W32.ircbot.gen detected everytime IE opens | sethlives1 | Malware Removal | 8 | December 12th, 2006 12:31 AM |
All times are GMT +1. The time now is 10:40 PM.