Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My HiJackThis Logfile

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby ryans » October 7th, 2007, 6:48 pm

Looks like the Images did not apper, clopy and paste the url's that appear at the bottom into your browser.
ryans
Active Member
 
Posts: 14
Joined: September 12th, 2007, 10:45 pm
Advertisement
Register to Remove

Unread postby Kairis » October 8th, 2007, 11:55 am

== Update Java ==
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6u3.
  • Scroll down (it's the fourth one down on the page) to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

== Run HJT Scan ==

¤¤ Start HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
¤¤ Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {8e6cd0fa-ee9e-41b6-9ee0-06c055ceaeb7} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A58ECE8A-274B-4B81-9526-4878D500A590} - (no file)
O2 - BHO: (no name) - {B71991AA-F780-417E-48AE-195ED756E9E7} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {BE0BB3BE-F8BD-448C-869E-DC0700974789} - (no file)
O2 - BHO: (no name) - {C21E2F7A-32FD-4AA7-B9C8-20C476673BEA} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {E24B5D3F-0150-4823-8EAB-43BC40E94C80} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FC7D26E7-6697-4CBE-8B77-61AE360AC04B} - (no file)
O20 - Winlogon Notify: efcyxyw - efcyxyw.dll (file missing)
O20 - Winlogon Notify: mljhi - C:\WINDOWS\

¤¤ Close all open windows and browsers/email, etc...
¤¤ Click on the "Fix Checked" button
¤¤ When completed, close the application.

== Check on status ==
After you have completed the above, please provide:

* new HijackThis log
* description of any problems you are having with your PC
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

Unread postby ryans » October 8th, 2007, 3:33 pm

The computer is still very slow. When booting, as windows loads the desktop begins to display with the normal background but no icons on the desktop. After three or four minutes (during this time nothing will load or run) this image appears as the desktop background followed shortly by the desktop icons:
[img]<a%20href="http://www.flickr.com/photos/fryry/1517007875/"%20title="Photo%20Sharing"><img%20src="http://farm1.static.flickr.com/236/1517007875_42b41ddc96.jpg"%20width="500"%20height="375"%20alt="desktop"%20/></a>[/img]
Here is the HJ log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:28 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 4984 bytes
ryans
Active Member
 
Posts: 14
Joined: September 12th, 2007, 10:45 pm

Unread postby ryans » October 9th, 2007, 2:11 am

Something else I just noticed:
The desktop isn't showing the contents of the "C:\Documents and Settings\Ginger\Desktop" directory. Instead it shows "C:\Documents and Settings\TEMP\Desktop". I'm logging in as my regular account, which is also admin so the Ginger directory should be the one windows accesses.

Still no network connectivity either.
ryans
Active Member
 
Posts: 14
Joined: September 12th, 2007, 10:45 pm

Unread postby ryans » October 9th, 2007, 12:23 pm

I ran ComboFix. This resulted in a slight increas in the startup speed when windows loads and the odd desktop background mentioned before. The deasktop is still being redirected to the TEMP directory though and no network connectivity. Here is the ComboFix log and a new HJT log:

ComboFix 07-10-09.2 - Ginger 2007-10-08 23:40:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.117 [GMT -4:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode
C:\Documents and Settings\Ginger\Application Data\CURITY~1
C:\Documents and Settings\Ginger\Application Data\install.dat
C:\Documents and Settings\Ginger\Application Data\install.dat
C:\Documents and Settings\Ginger\Application Data\microsoft\internet explorer\Desktop.htt
C:\Documents and Settings\Ginger\Application Data\WinAntiSpyware 2007 Free
C:\Documents and Settings\Ginger\Application Data\WinAntiSpyware 2007 Free\description.txt
C:\Documents and Settings\Ginger\Application Data\WinAntiSpyware 2007 Free\description.txt
C:\Documents and Settings\Ginger\Application Data\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\Documents and Settings\Ginger\Application Data\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\Documents and Settings\Ginger\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Ginger\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\Ginger\Application Data\WinAntiVirus Pro 2007\avtasks.dat
C:\Documents and Settings\Ginger\Application Data\WinAntiVirus Pro 2007\CookieList.dat
C:\Documents and Settings\Ginger\Application Data\WinAntiVirus Pro 2007\history.db
C:\Documents and Settings\Ginger\Application Data\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\Documents and Settings\Ginger\Application Data\WinAntiVirus Pro 2007\Logs\winav.log
C:\Documents and Settings\Ginger\Application Data\WinAntiVirus Pro 2007\PGE.dat
C:\Documents and Settings\Ginger\Desktop\bravesentry.lnk
C:\Documents and Settings\Ginger\err.log
C:\Documents and Settings\Ginger\Start Menu\Programs\Brave-Sentry
C:\Documents and Settings\Ginger\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk
C:\Documents and Settings\Ginger\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\appatc~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantivirus pro 2007
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\UWA7P
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\bndownyv.dll
C:\WINDOWS\system32\cqjbddij.dll
C:\WINDOWS\system32\D2
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\dxdbvdud.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\X1
C:\WINDOWS\system32\X11
C:\WINDOWS\system32\X3
C:\WINDOWS\system32\X7
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wbun.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\ystem~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN


((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 23:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 19:57 <DIR> d-------- C:\update
2007-10-08 19:28 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-08 19:28 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-08 19:26 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-10-08 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-08 19:26 921,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-08 19:26 10,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-08 19:25 <DIR> d-------- C:\KAV
2007-09-15 23:18 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-14 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-13 21:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 03:52 2,036 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-09 03:52 13,388 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-09 03:34 --------- d-----w C:\Documents and Settings\TEMP\Application Data\U3
2007-10-09 03:34 --------- d-----w C:\Documents and Settings\TEMP\Application Data\U3
2007-10-09 03:34 --------- d-----w C:\Documents and Settings\TEMP\Application Data\U3
2007-10-09 02:48 --------- d-----w C:\Program Files\Rabio
2007-09-13 01:42 --------- d-----w C:\Program Files\Yahoo!
2007-09-08 01:50 17,408 ----a-w C:\psapi.dll
2007-09-08 01:04 --------- d-----w C:\Program Files\Azureus
2007-09-07 23:39 --------- d-----w C:\Program Files\a-squared Free
2007-09-07 22:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\NetMon
2007-09-07 08:34 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\NetMon
2007-09-06 18:53 --------- d-----w C:\Program Files\LimeWire
2007-09-06 18:53 --------- d-----w C:\Program Files\Incomplete
2007-08-31 21:27 21,419 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-08-31 21:26 --------- d-----w C:\Program Files\TRENDnet
2007-08-30 01:09 --------- d-----w C:\Documents and Settings\Ginger\Application Data\Tenebril
2007-08-30 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tenebril
2007-08-27 03:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-27 00:14 --------- d-----w C:\Documents and Settings\Ginger\Application Data\Lycos
2007-08-26 23:12 --------- d-----w C:\Program Files\Enigma Software Group
2007-08-25 19:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-25 19:20 --------- d-----w C:\Program Files\ATI Technologies
2007-08-25 19:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-08-25 17:20 --------- d-----w C:\Documents and Settings\Ginger\Application Data\U3
2007-08-17 07:01 --------- d-----w C:\Program Files\MSXML 4.0
2007-08-13 17:12 --------- d-----w C:\Program Files\CCleaner
2007-08-13 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google
2007-08-13 16:00 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-13 16:00 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-13 15:57 --------- d-----w C:\Program Files\Lavasoft
2007-08-13 15:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-13 15:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-08-10 06:54 --------- d-----w C:\Documents and Settings\Ginger\Application Data\acccore
2007-08-10 06:53 --------- d-----w C:\Program Files\AIM6
2007-08-10 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-08-10 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-10 06:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-08-10 06:51 --------- d-----w C:\Program Files\Viewpoint
2007-08-10 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-08-10 06:50 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-10 06:36 --------- d-----w C:\Documents and Settings\Ginger\Application Data\Lavasoft
2004-07-19 19:11 67 -c--a-w C:\Documents and Settings\Ginger\x.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236}]
C:\WINDOWS\system32\oembios32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-28 14:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 21:10]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.15.lnk - C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-01-30 14:57:42]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 23:54:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-08 23:57:09 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 23:56
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:38 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 5031 bytes
ryans
Active Member
 
Posts: 14
Joined: September 12th, 2007, 10:45 pm

Unread postby Kairis » October 9th, 2007, 1:19 pm

Hi. As I wrote Mon 17 Sep, 2007 9:04 am:
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very
likely compromised and there is no way to be sure your computer can ever again be trusted.

That much malware can do permanent damage that we cannot undo.
System files have likely been affected, and we may not be able to fix them.

But if you like, we can still try:

Check that combofix.exe is on your Desktop
Then open Notepad: press Start->Run, type notepad and click OK
Copy/paste the contents of the below code box into Notepad:


Code: Select all
File:: 

C:\Documents and Settings\Ginger\x.bat 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236}] 

Folder:: 

C:\Program Files\Rabio


Save this to your Desktop as CFScript.txt
Image
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Note: Do not click ComboFix's window while it's running - it may cause it to stall!
Once complete, please post the new ComboFix report and a new HijackThis log.[/quote]
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

Unread postby ryans » October 9th, 2007, 3:28 pm

ComboFix 07-10-09.2 - Ginger 2007-10-09 15:09:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.77 [GMT -4:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\TEMP\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\Ginger\x.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Rabio
C:\Program Files\Rabio\Rabio.dll.intermediate.manifest
C:\Program Files\Rabio\resellerid.txt
C:\Program Files\Rabio\se.info
C:\Program Files\Rabio\se.original
C:\Program Files\Rabio\Setup.log
C:\Program Files\Rabio\X_se.log

.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 23:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 19:57 <DIR> d-------- C:\update
2007-10-08 19:28 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-08 19:28 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-08 19:26 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-10-08 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-08 19:26 1,069,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-08 19:26 16,416 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-08 19:25 <DIR> d-------- C:\KAV
2007-09-15 23:18 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-14 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-13 21:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 19:17 2,588 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-09 19:17 15,380 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-09 03:34 --------- d-----w C:\Documents and Settings\TEMP\Application Data\U3
2007-09-13 01:42 --------- d-----w C:\Program Files\Yahoo!
2007-09-08 01:50 17,408 ----a-w C:\psapi.dll
2007-09-08 01:04 --------- d-----w C:\Program Files\Azureus
2007-09-07 23:39 --------- d-----w C:\Program Files\a-squared Free
2007-09-07 22:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\NetMon
2007-09-07 22:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\NetMon
2007-09-07 22:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\NetMon
2007-09-07 08:34 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\NetMon
2007-09-06 18:53 --------- d-----w C:\Program Files\LimeWire
2007-09-06 18:53 --------- d-----w C:\Program Files\Incomplete
2007-08-31 21:27 21,419 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-08-31 21:26 --------- d-----w C:\Program Files\TRENDnet
2007-08-30 01:09 --------- d-----w C:\Documents and Settings\Ginger\Application Data\Tenebril
2007-08-30 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tenebril
2007-08-27 03:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-27 00:14 --------- d-----w C:\Documents and Settings\Ginger\Application Data\Lycos
2007-08-26 23:12 --------- d-----w C:\Program Files\Enigma Software Group
2007-08-25 19:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-25 19:20 --------- d-----w C:\Program Files\ATI Technologies
2007-08-25 19:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-08-25 17:20 --------- d-----w C:\Documents and Settings\Ginger\Application Data\U3
2007-08-17 07:01 --------- d-----w C:\Program Files\MSXML 4.0
2007-08-13 17:12 --------- d-----w C:\Program Files\CCleaner
2007-08-13 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google
2007-08-13 16:00 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-13 16:00 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-13 15:57 --------- d-----w C:\Program Files\Lavasoft
2007-08-13 15:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-13 15:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-08-10 06:54 --------- d-----w C:\Documents and Settings\Ginger\Application Data\acccore
2007-08-10 06:53 --------- d-----w C:\Program Files\AIM6
2007-08-10 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-08-10 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-10 06:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-08-10 06:51 --------- d-----w C:\Program Files\Viewpoint
2007-08-10 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-08-10 06:50 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-10 06:36 --------- d-----w C:\Documents and Settings\Ginger\Application Data\Lavasoft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-28 14:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 21:10]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.15.lnk - C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-01-30 14:57:42]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8518cf50-3803-11dc-870d-0000c5b5e3b0}]
AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 15:19:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-09 15:22:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 15:21
C:\ComboFix2.txt ... 2007-10-08 23:57
.
--- E O F ---
ryans
Active Member
 
Posts: 14
Joined: September 12th, 2007, 10:45 pm

Unread postby Kairis » October 10th, 2007, 12:21 am

Hi, thanks for the log.
Please send:
* new HijackThis log
* description of any problems you are having with your PC
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

Unread postby ryans » October 13th, 2007, 7:01 pm

The only problem left is that windows won't form a wireless connection.

Here's the HGT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:49 AM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 4679 bytes
ryans
Active Member
 
Posts: 14
Joined: September 12th, 2007, 10:45 pm

Unread postby Kairis » October 15th, 2007, 12:29 am

Hi. You have a wireless connection problem. It's a hardware problem.
Sorry, I can't help for that issue. (I only fix malware problems ;) )

But you post about that problem in this forum.
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

Unread postby askey127 » November 8th, 2007, 3:43 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
If you are the topic starter, you will need a valid, working link to the closed topic, along with the user name used.
The user name must match the one in the linked thread linked to avoid having the email deleted.

You can help support this site from this link :
Donations For Malware Removal
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware