Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Pls help me !! Thx...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Pls help me !! Thx...

Unread postby SnoopDogg » November 14th, 2007, 5:56 am

Logfile of HijackThis v1.99.1
Scan saved at 5:56:04 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svshost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\sdir\relpk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{651A2B26-D441-4A38-A828-9BD6AC475FA1}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{651A2B26-D441-4A38-A828-9BD6AC475FA1}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: gzg8wud2rcccs - Unknown owner - C:\WINDOWS\system32\systs.exe (file missing)
O23 - Service: m7h2 - Unknown owner - C:\WINDOWS\system32\svshost.exe
SnoopDogg
Regular Member
 
Posts: 61
Joined: March 28th, 2007, 11:41 pm
Location: >_<
Advertisement
Register to Remove

Re: Pls help me !! Thx...

Unread postby random/random » November 14th, 2007, 5:42 pm

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Pls help me !! Thx...

Unread postby SnoopDogg » November 15th, 2007, 1:48 am

I would be glad if u help me 2 try to clean it
SnoopDogg
Regular Member
 
Posts: 61
Joined: March 28th, 2007, 11:41 pm
Location: >_<

Re: Pls help me !! Thx...

Unread postby random/random » November 15th, 2007, 12:47 pm

You've been helped here twice before. What happened to your antivirus? What happened to your firewall? It's a waste of time for us to help you if you won't attempt to keep your PC secure afterwards

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum

You are using an older version of HijackThis. Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  1. Save HJTInstall.exe to your desktop.
  2. Double-click on HJTInstall.exe to run the program.
  3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  4. Accept the license agreement by clicking the "I Accept" button.
  5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  6. Click "Save log" to save the log file and then the log will open in Notepad.
  7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  8. Come back here to this thread and paste the log in your next reply.
  9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

You may delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Pls help me !! Thx...

Unread postby SnoopDogg » November 16th, 2007, 3:18 am

SDFix: Version 1.114

Run by StreetBaller89 on 11/16/2007 Fri at 02:59 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\STREET~1\Desktop\MALWAR~1\SDFix

Safe Mode:
Checking Services:

Name:
Distributed Allocated Memory Unit
gzg8wud2rcccs

Path:
"C:\windows\system32\dllcache\mravsc32.exe"
"C:\WINDOWS\system32\systs.exe"

Distributed Allocated Memory Unit - Deleted
gzg8wud2rcccs - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\windows\system32\eraseme_05166.exe - Deleted
C:\windows\system32\eraseme_37374.exe - Deleted
C:\windows\system32\eraseme_76855.exe - Deleted
C:\windows\system32\dllcache\mravsc32.exe - Deleted
C:\windows\system32\i - Deleted
C:\windows\Temp\removalfile.bat - Deleted



Removing Temp Files...

ADS Check:

C:\windows
No streams found.

C:\windows\system32
No streams found.

C:\windows\system32\svchost.exe
No streams found.

C:\windows\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 15:03:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\kpqinojq.exe"="C:\\WINDOWS\\System32\\kpq"
"C:\\windows\\System32\\yrtbpujp.exe"="C:\\windows\\System32\\yrt"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\STREET~1\Desktop\MALWAR~1\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 20 Oct 2007 194 ..SH. --- "C:\BOOT.BAK"
Fri 19 Oct 2007 13,872 A.SH. --- "C:\Program Files\NetMeeting\avpms.exe"
Thu 29 Aug 2002 480,256 ..SHR --- "C:\WINDOWS\system32\cfj.exe"
Fri 16 Nov 2007 20,810 ..SH. --- "C:\WINDOWS\system32\etjbolkj.dllbox"
Wed 14 Nov 2007 812 ..SH. --- "C:\WINDOWS\system32\vyadd.tmp"
Sun 12 Nov 2000 6,470 ..SH. --- "C:\WINDOWS\system32\vyadd.bak1"
Wed 14 Nov 2007 128,731 ..SH. --- "C:\WINDOWS\system32\vyadd.bak2"
Fri 9 Nov 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 24 Sep 2007 609,280 ...H. --- "C:\Documents and Settings\sally\My Documents\~WRL0002.tmp"
Thu 25 Oct 2007 608,256 ...H. --- "C:\Documents and Settings\sally\My Documents\~WRL0003.tmp"
Sat 11 Nov 2000 48,251 A.SH. --- "C:\Program Files\Internet Explorer\PLUGINS\WinSys8x.Sys"
Sat 11 Nov 2000 48,252 A.SH. --- "C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\ico6.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\ico7.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\ico8.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\ico9.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\icoA.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico54.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico55.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico56.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico57.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico58.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico59.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico5A.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico5B.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico5C.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico5D.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico5E.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico5F.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico60.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico61.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico62.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico63.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico64.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico65.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico66.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico67.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico68.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico69.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico6A.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico6B.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico6C.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico6D.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico6E.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico6F.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico70.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\test\Local Settings\Temp\ico71.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico10.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico11.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico12.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico13.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico14.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico15.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico16.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico17.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico18.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico19.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico1A.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico1B.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico1C.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico1D.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico1E.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico1F.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico2.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico20.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico21.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico22.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico23.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico24.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico25.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico26.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico27.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico28.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico29.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico2A.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico2B.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico2C.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico2D.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico2E.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico2F.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico3.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico30.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico31.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico32.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico33.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico34.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico35.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico36.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico37.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico38.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico3A.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico3B.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico3C.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico3D.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico3E.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico4.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico40.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico41.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico42.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico43.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico44.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico5.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico6.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico66.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico67.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico68.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico69.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico6A.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico7.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico8.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\ico9.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\icoA.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\icoB.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\icoC.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\icoD.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\icoE.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Thomas.AMD\Local Settings\Temp\icoF.tmp"

Finished!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:42 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\System32\svchost.exe
C:\windows\System32\conime.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\windows\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{651A2B26-D441-4A38-A828-9BD6AC475FA1}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{651A2B26-D441-4A38-A828-9BD6AC475FA1}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: cd3h2q0m1h2 - Unknown owner - C:\windows\system32\svshost.exe (file missing)

--
End of file - 3543 bytes

Im so sorry for the trouble... i bought this new hdd recently and i installed antivirus (AVG) but i dont know why or how the viruses keep coming in
And thanks for helping.. :-p
SnoopDogg
Regular Member
 
Posts: 61
Joined: March 28th, 2007, 11:41 pm
Location: >_<

Re: Pls help me !! Thx...

Unread postby random/random » November 16th, 2007, 1:20 pm

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Pls help me !! Thx...

Unread postby SnoopDogg » November 17th, 2007, 3:06 am

ComboFix 07-11-08.1 - StreetBaller89 2007-11-17 14:53:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.262 [GMT 8:00]
Running from: C:\Documents and Settings\StreetBaller89\Desktop\Malware Removal\ComboFix\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\jkkjh.dll
C:\windows\system32\vsoallwt.dllbox
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\nancy\Desktop\internet.lnk
C:\Documents and Settings\StreetBaller89\Desktop\Live Safety Center.lnk
C:\Documents and Settings\StreetBaller89\Desktop\Online Security Guide.lnk
C:\Documents and Settings\StreetBaller89\Favorites\Online Security Guide.lnk
C:\Documents and Settings\test\Desktop\Live Safety Center.lnk
C:\Documents and Settings\test\Desktop\Online Security Guide.lnk
C:\Documents and Settings\test\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Thomas.AMD\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Thomas.AMD\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Thomas.AMD\Favorites\Online Security Guide.lnk
C:\Program Files\Internet Explorer\PLUGINS\SysWin6k.Jmp
C:\Program Files\NetMeeting\avpms.exe
C:\windows\cookies.ini
C:\windows\system32\etjbolkj.dllbox
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini2
C:\windows\system32\vsoallwt.dllbox
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE




((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 14:52 36,352 --a------ C:\WINDOWS\system32\awtturp.dll
2007-11-17 14:52 35,840 --a------ C:\WINDOWS\system32\urqqool.dll
2007-11-17 14:51 36,352 --a------ C:\WINDOWS\system32\ssqrqqq.dll
2007-11-17 14:51 35,840 --a------ C:\WINDOWS\system32\qomlklk.dll
2007-11-17 14:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-17 13:10 82,496 --a------ C:\WINDOWS\system32\odoutckg.dll
2007-11-17 13:07 85,056 --a------ C:\WINDOWS\system32\ccktpuda.dll
2007-11-17 13:04 145,984 --a------ C:\WINDOWS\system32\vsoallwt.dll
2007-11-17 13:04 145,984 --a------ C:\WINDOWS\system32\mjkjuotv.dll
2007-11-17 13:02 231,321 --a------ C:\msu32.exe
2007-11-17 01:53 85,056 --a------ C:\WINDOWS\system32\bvbtjdmc.dll
2007-11-16 16:05 36,352 --a------ C:\WINDOWS\system32\ljjjkki.dll
2007-11-16 16:05 35,840 --a------ C:\WINDOWS\system32\cbxwttq.dll
2007-11-16 16:04 36,352 --a------ C:\WINDOWS\system32\ljjghih.dll
2007-11-16 16:04 35,840 --a------ C:\WINDOWS\system32\vtussqn.dll
2007-11-16 16:03 36,352 --a------ C:\WINDOWS\system32\tuvtspn.dll
2007-11-16 16:03 36,352 --a------ C:\WINDOWS\system32\nnnmlmk.dll
2007-11-16 16:03 35,840 --a------ C:\WINDOWS\system32\tuvvwvt.dll
2007-11-16 16:03 35,840 --a------ C:\WINDOWS\system32\tuvvsrr.dll
2007-11-16 16:02 36,352 --a------ C:\WINDOWS\system32\vturqol.dll
2007-11-16 16:02 36,352 --a------ C:\WINDOWS\system32\qomllji.dll
2007-11-16 16:02 35,840 --a------ C:\WINDOWS\system32\fccbbyy.dll
2007-11-16 16:02 35,840 --a------ C:\WINDOWS\system32\byxvstr.dll
2007-11-16 16:01 36,352 --a------ C:\WINDOWS\system32\xxyxxut.dll
2007-11-16 16:01 35,840 --a------ C:\WINDOWS\system32\urqrrqn.dll
2007-11-16 15:49 36,352 --a------ C:\WINDOWS\system32\ssqopmn.dll
2007-11-16 15:49 35,840 --a------ C:\WINDOWS\system32\jkkljkl.dll
2007-11-16 15:33 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\DivX
2007-11-16 14:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-16 14:51 <DIR> d-------- C:\HijackThis
2007-11-16 14:49 36,352 --a------ C:\WINDOWS\system32\cbxwvww.dll
2007-11-16 14:49 35,840 --a------ C:\WINDOWS\system32\pmnolml.dll
2007-11-16 14:43 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\Yahoo!
2007-11-16 03:09 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-11-16 03:07 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-16 03:07 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Yahoo!
2007-11-16 03:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2007-11-16 03:07 <DIR> dr-h----- C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2007-11-15 22:20 85,056 --a------ C:\WINDOWS\system32\tjoehyus.dll
2007-11-15 22:20 79,936 --a------ C:\WINDOWS\system32\btpflqcx.dll
2007-11-15 15:59 378,880 --a------ C:\WINDOWS\system32\m2n1.exe
2007-11-15 13:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
2007-11-15 12:46 30,592 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys
2007-11-15 12:46 12,800 --a------ C:\WINDOWS\system32\drivers\usb8023x.sys
2007-11-15 12:43 30,592 --a--c--- C:\WINDOWS\system32\dllcache\rndismp.sys
2007-11-15 12:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-15 12:43 12,800 --a--c--- C:\WINDOWS\system32\dllcache\usb8023.sys
2007-11-15 12:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-11-14 21:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe Systems
2007-11-14 20:48 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-14 20:48 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-14 20:48 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-14 20:48 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-14 20:48 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-14 20:48 14,208 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-14 20:47 <DIR> d--h----- C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonBJ
2007-11-14 20:47 161,792 --a------ C:\WINDOWS\system32\CNMLM83.DLL
2007-11-14 20:00 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Uniblue
2007-11-14 15:45 <DIR> d-------- C:\Documents and Settings\test\Contacts
2007-11-14 12:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-14 12:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 12:45 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\SUPERAntiSpyware.com
2007-11-14 12:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2007-11-14 11:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-14 10:54 672 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-14 10:53 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-14 10:53 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-14 10:53 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-14 10:53 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-14 10:53 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-14 10:44 648,592 --a------ C:\PPlayer.dll
2007-11-14 10:36 356,352 --a------ C:\XPlayer.dll
2007-11-14 00:26 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-14 00:20 <DIR> d-------- C:\Documents and Settings\test\Application Data\DivX
2007-11-14 00:14 <DIR> d-------- C:\Documents and Settings\test\.housecall6.6
2007-11-14 00:00 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\.housecall6.6
2007-11-13 23:53 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Media Player Classic
2007-11-13 22:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-13 22:32 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-13 21:49 144,480 --a------ C:\WINDOWS\system32\sdkqfbht.dll
2007-11-13 21:43 88,128 --a------ C:\WINDOWS\system32\sfeishyt.dll
2007-11-13 00:17 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\PPLive
2007-11-12 22:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-12 19:24 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Ahead
2007-11-12 18:35 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\LimeWire
2007-11-12 16:50 <DIR> d---s---- C:\Documents and Settings\StreetBaller89\UserData
2007-11-12 16:19 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\CheckPoint
2007-11-12 16:14 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Incomplete
2007-11-12 16:14 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\LimeWire
2007-11-11 01:26 <DIR> \\.\nul
2007-11-10 13:43 <DIR> d-------- C:\Program Files\ChristmasRush
2007-11-09 18:56 <DIR> d-------- C:\WINDOWS\Sun
2007-11-09 10:50 <DIR> d-------- C:\Program Files\Kazaa
2007-11-08 10:32 <DIR> d-------- C:\Program Files\PHM
2007-11-08 03:57 <DIR> d-------- C:\WINDOWS\system32\RMBin
2007-11-08 03:57 <DIR> d-------- C:\Program Files\Aplus Video Convertor
2007-11-08 03:21 <DIR> d-------- C:\Program Files\pqDVD
2007-11-08 02:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-03 03:00 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-03 03:00 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 05:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-15 02:01 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-28 10:07 3,596,288 ----a-w C:\windows\system32\qt-dx331.dll
2007-09-28 10:05 81,920 ----a-w C:\windows\system32\dpl100.dll
2007-09-28 10:05 739,840 ----a-w C:\windows\system32\divx.dll
2007-09-24 08:22 295,161 ----a-w C:\PlayerHelper.dll
2007-09-04 10:56 164,352 ----a-w C:\windows\system32\unrar.dll
2002-08-28 19:41:24 480,256 --sh--r C:\windows\system32\cfj.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
2007-11-16 14:49 36352 --a------ C:\windows\System32\cbxwvww.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{142D1058-7794-456A-8CD8-634F24724015}]
C:\WINDOWS\System32\jkkjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65b2a361-15bd-4b5f-af07-9210775715d8}]
2007-11-17 13:10 82496 --a------ C:\windows\System32\odoutckg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-17 13:04 145984 --a------ C:\windows\system32\vsoallwt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\windows\system32\vsoallwt.dll [2007-11-17 13:04 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Thunder"="C:\Program Files\Thunder Network\Thunder\Thunder.exe" [2007-07-30 19:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59]
"Advanced DHTML Enable"="C:\windows\sdir\relpk.exe" [2007-11-11 22:09]
"e40ae455"="C:\windows\System32\ccktpuda.dll" [2007-11-17 13:07]
"combofix"="C:\windows\system32\cmd.exe" [2001-08-23 20:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\System32\ctfmon.exe" [2002-08-29 03:41]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ISW"="C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"= C:\windows\System32\cbxwvww.dll [2007-11-16 14:49 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmnjwcx]
atmnjwcx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwvww]
cbxwvww.dll 2007-11-16 14:49 36352 C:\WINDOWS\system32\cbxwvww.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgeec]
mljgeec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vsoallwt]
vsoallwt.dll 2007-11-17 13:04 145984 C:\WINDOWS\system32\vsoallwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Thomas.AMD^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Thomas.AMD\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced DHTML Enable]
C:\WINDOWS\sdir\relpk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e40ae455]
rundll32.exe "C:\windows\System32\tjoehyus.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
C:\Program Files\SpyNoMore\SNM.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsSystam]
cfj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"m7h2"=2 (0x2)
"gzg8wud2rcccs"=2 (0x2)
"Distributed Allocated Memory Unit"=2 (0x2)
"Adobe LM Service"=3 (0x3)

S2 cd3h2q0m1h2;cd3h2q0m1h2;"C:\windows\system32\svshost.exe"

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 15:00:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 15:00:37 - machine was rebooted
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:06 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\System32\conime.exe
C:\windows\System32\svchost.exe
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\windows\sdir\relpk.exe
C:\windows\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F5D64B74EAF6} - C:\windows\System32\cbxwvww.dll
O2 - BHO: ThunderBHO - {02478D37-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {8d517577-0129-70fa-f5b4-db51163a2b56} - {65b2a361-15bd-4b5f-af07-9210775715d8} - C:\windows\System32\odoutckg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\windows\system32\vsoallwt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\windows\system32\vsoallwt.dll
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\windows\sdir\relpk.exe
O4 - HKLM\..\Run: [e40ae455] rundll32.exe "C:\windows\System32\ccktpuda.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: atmnjwcx - atmnjwcx.dll (file missing)
O20 - Winlogon Notify: cbxwvww - C:\windows\SYSTEM32\cbxwvww.dll
O20 - Winlogon Notify: mljgeec - mljgeec.dll (file missing)
O20 - Winlogon Notify: vsoallwt - C:\windows\SYSTEM32\vsoallwt.dll
O23 - Service: cd3h2q0m1h2 - Unknown owner - C:\windows\system32\svshost.exe (file missing)

--
End of file - 4958 bytes
SnoopDogg
Regular Member
 
Posts: 61
Joined: March 28th, 2007, 11:41 pm
Location: >_<

Re: Pls help me !! Thx...

Unread postby random/random » November 17th, 2007, 8:17 am

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    File::
    C:\WINDOWS\system32\awtturp.dll
    C:\WINDOWS\system32\urqqool.dll
    C:\WINDOWS\system32\ssqrqqq.dll
    C:\WINDOWS\system32\qomlklk.dll
    C:\WINDOWS\system32\odoutckg.dll
    C:\WINDOWS\system32\ccktpuda.dll
    C:\WINDOWS\system32\vsoallwt.dll
    C:\WINDOWS\system32\mjkjuotv.dll
    C:\msu32.exe
    C:\WINDOWS\system32\bvbtjdmc.dll
    C:\WINDOWS\system32\ljjjkki.dll
    C:\WINDOWS\system32\cbxwttq.dll
    C:\WINDOWS\system32\ljjghih.dll
    C:\WINDOWS\system32\vtussqn.dll
    C:\WINDOWS\system32\tuvtspn.dll
    C:\WINDOWS\system32\nnnmlmk.dll
    C:\WINDOWS\system32\tuvvwvt.dll
    C:\WINDOWS\system32\tuvvsrr.dll
    C:\WINDOWS\system32\vturqol.dll
    C:\WINDOWS\system32\qomllji.dll
    C:\WINDOWS\system32\fccbbyy.dll
    C:\WINDOWS\system32\byxvstr.dll
    C:\WINDOWS\system32\xxyxxut.dll
    C:\WINDOWS\system32\urqrrqn.dll
    C:\WINDOWS\system32\ssqopmn.dll
    C:\WINDOWS\system32\jkkljkl.dll
    C:\WINDOWS\system32\cbxwvww.dll
    C:\WINDOWS\system32\pmnolml.dll
    C:\WINDOWS\system32\tjoehyus.dll
    C:\WINDOWS\system32\btpflqcx.dll
    C:\WINDOWS\system32\m2n1.exe
    C:\WINDOWS\system32\sdkqfbht.dll
    C:\WINDOWS\system32\sfeishyt.dll
    C:\WINDOWS\system32\cfj.exe
    C:\windows\system32\svshost.exe
    Folder::
    C:\WINDOWS\sdir
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{142D1058-7794-456A-8CD8-634F24724015}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65b2a361-15bd-4b5f-af07-9210775715d8}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Advanced DHTML Enable"=-
    "e40ae455"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmnjwcx]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwvww]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgeec]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vsoallwt]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced DHTML Enable]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e40ae455]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsSystam]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "m7h2"=-
    "gzg8wud2rcccs"=-
    "Distributed Allocated Memory Unit"=-
    Driver::
    cd3h2q0m1h2
    Distributed Allocated Memory Unit
    gzg8wud2rcccs
    m7h2
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Pls help me !! Thx...

Unread postby SnoopDogg » November 18th, 2007, 1:28 am

ComboFix 07-11-08.1 - StreetBaller89 2004-11-18 13:22:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.202 [GMT 8:00]
Running from: C:\Documents and Settings\StreetBaller89\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\StreetBaller89\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\msu32.exe
C:\WINDOWS\system32\awtturp.dll
C:\WINDOWS\system32\btpflqcx.dll
C:\WINDOWS\system32\bvbtjdmc.dll
C:\WINDOWS\system32\byxvstr.dll
C:\WINDOWS\system32\cbxwttq.dll
C:\WINDOWS\system32\cbxwvww.dll
C:\WINDOWS\system32\ccktpuda.dll
C:\WINDOWS\system32\cfj.exe
C:\WINDOWS\system32\fccbbyy.dll
C:\WINDOWS\system32\jkkljkl.dll
C:\WINDOWS\system32\ljjghih.dll
C:\WINDOWS\system32\ljjjkki.dll
C:\WINDOWS\system32\m2n1.exe
C:\WINDOWS\system32\mjkjuotv.dll
C:\WINDOWS\system32\nnnmlmk.dll
C:\WINDOWS\system32\odoutckg.dll
C:\WINDOWS\system32\pmnolml.dll
C:\WINDOWS\system32\qomlklk.dll
C:\WINDOWS\system32\qomllji.dll
C:\WINDOWS\system32\sdkqfbht.dll
C:\WINDOWS\system32\sfeishyt.dll
C:\WINDOWS\system32\ssqopmn.dll
C:\WINDOWS\system32\ssqrqqq.dll
C:\windows\system32\svshost.exe
C:\WINDOWS\system32\tjoehyus.dll
C:\WINDOWS\system32\tuvtspn.dll
C:\WINDOWS\system32\tuvvsrr.dll
C:\WINDOWS\system32\tuvvwvt.dll
C:\WINDOWS\system32\urqqool.dll
C:\WINDOWS\system32\urqrrqn.dll
C:\WINDOWS\system32\vsoallwt.dll
C:\WINDOWS\system32\vturqol.dll
C:\WINDOWS\system32\vtussqn.dll
C:\WINDOWS\system32\xxyxxut.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\sally.AMD\Desktop\internet.lnk
C:\Documents and Settings\StreetBaller89\Desktop\Live Safety Center.lnk
C:\Documents and Settings\StreetBaller89\Desktop\Online Security Guide.lnk
C:\Documents and Settings\StreetBaller89\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Thomas.AMD\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Thomas.AMD\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Thomas.AMD\Favorites\Online Security Guide.lnk
C:\windows\cookies.ini
C:\WINDOWS\sdir
C:\WINDOWS\sdir\helper.exe
C:\WINDOWS\sdir\lc.exe
C:\WINDOWS\sdir\relpk.exe
C:\WINDOWS\sdir\startup.bat
C:\WINDOWS\sdir\zm.exe
C:\WINDOWS\system32\awtturp.dll
C:\WINDOWS\system32\btpflqcx.dll
C:\WINDOWS\system32\bvbtjdmc.dll
C:\WINDOWS\system32\byxvstr.dll
C:\WINDOWS\system32\cbxwttq.dll
C:\WINDOWS\system32\cbxwvww.dll
C:\WINDOWS\system32\cfj.exe
C:\WINDOWS\system32\fccbbyy.dll
C:\WINDOWS\system32\jjjlm.bak1
C:\WINDOWS\system32\jjjlm.bak2
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jkkljkl.dll
C:\WINDOWS\system32\ljjghih.dll
C:\WINDOWS\system32\ljjjkki.dll
C:\WINDOWS\system32\m2n1.exe
C:\WINDOWS\system32\mjkjuotv.dll
C:\windows\system32\mljjj.dll
C:\WINDOWS\system32\nnnmlmk.dll
C:\WINDOWS\system32\odoutckg.dll
C:\WINDOWS\system32\pmnolml.dll
C:\WINDOWS\system32\qomlklk.dll
C:\WINDOWS\system32\qomllji.dll
C:\WINDOWS\system32\sdkqfbht.dll
C:\WINDOWS\system32\sfeishyt.dll
C:\WINDOWS\system32\ssqopmn.dll
C:\WINDOWS\system32\ssqrqqq.dll
C:\WINDOWS\system32\tjoehyus.dll
C:\WINDOWS\system32\tuvtspn.dll
C:\WINDOWS\system32\tuvvsrr.dll
C:\WINDOWS\system32\tuvvwvt.dll
C:\WINDOWS\system32\urqqool.dll
C:\WINDOWS\system32\urqrrqn.dll
C:\WINDOWS\system32\vsoallwt.dll
C:\windows\system32\vsoallwt.dllbox
C:\WINDOWS\system32\vturqol.dll
C:\WINDOWS\system32\vtussqn.dll
C:\WINDOWS\system32\xxyxxut.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CD3H2Q0M1H2
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_M7H2
-------\cd3h2q0m1h2
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-18 03:08 85,056 --a------ C:\WINDOWS\system32\fqsrcsni.dll
2007-11-18 03:07 82,496 --a------ C:\WINDOWS\system32\mcppawlt.dll
2007-11-18 03:07 71,232 --a------ C:\WINDOWS\system32\njvbsdou.exe
2007-11-17 18:13 <DIR> d-------- C:\Documents and Settings\sally.AMD\Application Data\Yahoo!
2007-11-17 18:08 <DIR> d-------- C:\Documents and Settings\sally.AMD\Contacts
2007-11-17 16:59 0 --a------ C:\WINDOWS\system32\wmsoft10654.exe
2007-11-17 16:50 30,720 --a------ C:\WINDOWS\system32\setup_42440.exe
2007-11-17 16:44 30,720 --a------ C:\WINDOWS\system32\eraseme_56560.exe
2007-11-17 15:11 <DIR> d-------- C:\Program Files\ArtMoney
2007-11-17 14:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 15:33 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\DivX
2007-11-16 14:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-16 14:51 <DIR> d-------- C:\HijackThis
2007-11-16 14:43 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\Yahoo!
2007-11-16 03:09 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-11-16 03:07 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-16 03:07 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Yahoo!
2007-11-16 03:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2007-11-16 03:07 <DIR> dr-h----- C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2007-11-15 13:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
2007-11-15 12:46 30,592 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys
2007-11-15 12:46 12,800 --a------ C:\WINDOWS\system32\drivers\usb8023x.sys
2007-11-15 12:43 30,592 --a--c--- C:\WINDOWS\system32\dllcache\rndismp.sys
2007-11-15 12:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-15 12:43 12,800 --a--c--- C:\WINDOWS\system32\dllcache\usb8023.sys
2007-11-15 12:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-11-14 21:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe Systems
2007-11-14 20:48 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-14 20:48 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-14 20:48 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-14 20:48 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-14 20:48 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-14 20:48 14,208 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-14 20:47 <DIR> d--h----- C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonBJ
2007-11-14 20:47 161,792 --a------ C:\WINDOWS\system32\CNMLM83.DLL
2007-11-14 20:00 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Uniblue
2007-11-14 15:45 <DIR> d-------- C:\Documents and Settings\test\Contacts
2007-11-14 12:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-14 12:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 12:45 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\SUPERAntiSpyware.com
2007-11-14 12:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2007-11-14 11:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-14 10:54 672 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-14 10:53 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-14 10:53 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-14 10:53 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-14 10:53 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-14 10:53 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-14 10:44 648,592 --a------ C:\PPlayer.dll
2007-11-14 10:36 356,352 --a------ C:\XPlayer.dll
2007-11-14 00:26 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-14 00:20 <DIR> d-------- C:\Documents and Settings\test\Application Data\DivX
2007-11-14 00:14 <DIR> d-------- C:\Documents and Settings\test\.housecall6.6
2007-11-14 00:00 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\.housecall6.6
2007-11-13 23:53 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Media Player Classic
2007-11-13 22:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-13 22:32 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-13 00:17 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\PPLive
2007-11-12 22:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-12 19:24 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Ahead
2007-11-12 18:35 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\LimeWire
2007-11-12 16:50 <DIR> d---s---- C:\Documents and Settings\StreetBaller89\UserData
2007-11-12 16:19 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\CheckPoint
2007-11-12 16:14 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Incomplete
2007-11-12 16:14 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\LimeWire
2007-11-11 01:26 <DIR> \\.\nul
2007-11-10 13:43 <DIR> d-------- C:\Program Files\ChristmasRush
2007-11-09 18:56 <DIR> d-------- C:\WINDOWS\Sun
2007-11-09 10:50 <DIR> d-------- C:\Program Files\Kazaa
2007-11-08 10:32 <DIR> d-------- C:\Program Files\PHM
2007-11-08 03:57 <DIR> d-------- C:\WINDOWS\system32\RMBin
2007-11-08 03:57 <DIR> d-------- C:\Program Files\Aplus Video Convertor
2007-11-08 03:21 <DIR> d-------- C:\Program Files\pqDVD
2007-11-08 02:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-03 03:00 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-03 03:00 <DIR> d-------- C:\Program Files\Common Files\Real
2007-11-03 02:59 <DIR> d-------- C:\Program Files\Real
2007-11-01 10:40 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\AdobeUM
2007-11-01 09:12 <DIR> d-------- C:\Documents and Settings\sally\Application Data\Ahead
2007-10-31 12:47 <DIR> d-------- C:\Documents and Settings\nancy\Application Data\Skype
2007-10-31 11:16 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-31 10:24 <DIR> d-------- C:\Documents and Settings\nancy\Application Data\MSN6
2007-10-30 15:25 <DIR> d---s---- C:\Documents and Settings\nancy\UserData
2007-10-29 23:09 <DIR> d-------- C:\Documents and Settings\nancy\Contacts
2007-10-29 14:21 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Canon
2007-10-29 10:46 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Ahead
2007-10-28 11:06 <DIR> d-------- C:\Program Files\Nero
2007-10-28 11:06 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-10-26 21:22 <DIR> d-------- C:\Program Files\MyCNX
2007-10-26 20:12 <DIR> d-------- C:\Program Files\Skype
2007-10-26 20:12 <DIR> d-------- C:\Program Files\Google
2007-10-26 20:12 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-10-26 20:12 <DIR> d-------- C:\Documents and Settings\sally\Application Data\Skype
2007-10-25 10:11 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Media Player Classic
2007-10-24 21:39 <DIR> d-------- C:\Documents and Settings\sally\Application Data\Media Player Classic
2007-10-24 21:39 <DIR> d-------- C:\Documents and Settings\sally\Application Data\DivX
2007-10-24 12:09 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-10-24 12:04 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\DivX
2007-10-24 12:02 <DIR> d-------- C:\Program Files\DivX
2007-10-22 20:15 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 10:07 3,596,288 ----a-w C:\windows\system32\qt-dx331.dll
2007-09-28 10:05 81,920 ----a-w C:\windows\system32\dpl100.dll
2007-09-28 10:05 739,840 ----a-w C:\windows\system32\divx.dll
2007-09-24 08:22 295,161 ----a-w C:\PlayerHelper.dll
2007-09-04 10:56 164,352 ----a-w C:\windows\system32\unrar.dll
2007-08-15 04:24 90,112 ----a-w C:\XmvSource.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
C:\windows\system32\cbxwvww.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18E371F2-C2C1-4A0C-A55C-65CE5B7C9320}]
C:\windows\System32\mljjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b07029b-5c3b-4c7c-ae70-303e9e000599}]
2007-11-18 03:07 82496 --a------ C:\windows\System32\mcppawlt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Thunder"="C:\Program Files\Thunder Network\Thunder\Thunder.exe" [2007-07-30 19:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59]
"combofix"="C:\windows\system32\cmd.exe" [2001-08-23 20:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\System32\ctfmon.exe" [2002-08-29 03:41]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ISW"="C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"= C:\windows\system32\cbxwvww.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwvww]
cbxwvww.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vsoallwt]
vsoallwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Thomas.AMD^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Thomas.AMD\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
C:\Program Files\SpyNoMore\SNM.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)


.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 13:27:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 13:27:32 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-17 15:00
.
--- E O F ---
SnoopDogg
Regular Member
 
Posts: 61
Joined: March 28th, 2007, 11:41 pm
Location: >_<

Re: Pls help me !! Thx...

Unread postby random/random » November 18th, 2007, 9:21 am

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\WINDOWS\\System32\\kpqinojq.exe"=-
    "C:\\windows\\System32\\yrtbpujp.exe"=-
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18E371F2-C2C1-4A0C-A55C-65CE5B7C9320}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b07029b-5c3b-4c7c-ae70-303e9e000599}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwvww]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vsoallwt]
    File::
    C:\WINDOWS\System32\kpqinojq.exe
    C:\windows\System32\yrtbpujp.exe
    C:\WINDOWS\system32\fqsrcsni.dll
    C:\WINDOWS\system32\mcppawlt.dll
    C:\WINDOWS\system32\njvbsdou.exe
    C:\windows\System32\mcppawlt.dll
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Pls help me !! Thx...

Unread postby SnoopDogg » November 19th, 2007, 12:09 am

ComboFix 07-11-08.1 - StreetBaller89 2007-11-09 12:02:25.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.215 [GMT 8:00]
Running from: C:\Documents and Settings\StreetBaller89\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\StreetBaller89\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\fqsrcsni.dll
C:\WINDOWS\System32\kpqinojq.exe
C:\WINDOWS\system32\mcppawlt.dll
C:\windows\System32\mcppawlt.dll
C:\WINDOWS\system32\njvbsdou.exe
C:\windows\System32\yrtbpujp.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\windows\cookies.ini
C:\WINDOWS\system32\fqsrcsni.dll
C:\WINDOWS\system32\mcppawlt.dll
C:\WINDOWS\system32\njvbsdou.exe
C:\windows\system32\ssttu.dll
C:\WINDOWS\system32\uttss.bak1
C:\WINDOWS\system32\uttss.bak2
C:\WINDOWS\system32\uttss.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-17 18:13 <DIR> d-------- C:\Documents and Settings\sally.AMD\Application Data\Yahoo!
2007-11-17 18:08 <DIR> d-------- C:\Documents and Settings\sally.AMD\Contacts
2007-11-17 16:59 0 --a------ C:\WINDOWS\system32\wmsoft10654.exe
2007-11-17 16:50 30,720 --a------ C:\WINDOWS\system32\setup_42440.exe
2007-11-17 16:44 30,720 --a------ C:\WINDOWS\system32\eraseme_56560.exe
2007-11-17 15:11 <DIR> d-------- C:\Program Files\ArtMoney
2007-11-17 14:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 15:33 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\DivX
2007-11-16 14:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-16 14:51 <DIR> d-------- C:\HijackThis
2007-11-16 14:43 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\Yahoo!
2007-11-16 03:09 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-11-16 03:07 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-16 03:07 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Yahoo!
2007-11-16 03:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2007-11-16 03:07 <DIR> dr-h----- C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2007-11-15 13:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
2007-11-15 12:46 30,592 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys
2007-11-15 12:46 12,800 --a------ C:\WINDOWS\system32\drivers\usb8023x.sys
2007-11-15 12:43 30,592 --a--c--- C:\WINDOWS\system32\dllcache\rndismp.sys
2007-11-15 12:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-15 12:43 12,800 --a--c--- C:\WINDOWS\system32\dllcache\usb8023.sys
2007-11-15 12:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-11-14 21:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe Systems
2007-11-14 20:48 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-14 20:48 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-14 20:48 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-14 20:48 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-14 20:48 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-14 20:48 14,208 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-14 20:47 <DIR> d--h----- C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonBJ
2007-11-14 20:47 161,792 --a------ C:\WINDOWS\system32\CNMLM83.DLL
2007-11-14 20:00 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Uniblue
2007-11-14 15:45 <DIR> d-------- C:\Documents and Settings\test\Contacts
2007-11-14 12:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-14 12:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 12:45 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\SUPERAntiSpyware.com
2007-11-14 12:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2007-11-14 11:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-14 10:54 672 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-14 10:53 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-14 10:53 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-14 10:53 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-14 10:53 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-14 10:53 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-14 10:44 648,592 --a------ C:\PPlayer.dll
2007-11-14 10:36 356,352 --a------ C:\XPlayer.dll
2007-11-14 00:26 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-14 00:20 <DIR> d-------- C:\Documents and Settings\test\Application Data\DivX
2007-11-14 00:14 <DIR> d-------- C:\Documents and Settings\test\.housecall6.6
2007-11-14 00:00 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\.housecall6.6
2007-11-13 23:53 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Media Player Classic
2007-11-13 22:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-13 22:32 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-13 00:17 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\PPLive
2007-11-12 22:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-12 19:24 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\Ahead
2007-11-12 18:35 <DIR> d-------- C:\Documents and Settings\Thomas.AMD\Application Data\LimeWire
2007-11-12 16:50 <DIR> d---s---- C:\Documents and Settings\StreetBaller89\UserData
2007-11-12 16:19 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\CheckPoint
2007-11-12 16:14 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Incomplete
2007-11-12 16:14 <DIR> d-------- C:\Documents and Settings\StreetBaller89\Application Data\LimeWire
2007-11-11 01:26 <DIR> \\.\nul
2007-11-10 13:43 <DIR> d-------- C:\Program Files\ChristmasRush
2007-11-09 18:56 <DIR> d-------- C:\WINDOWS\Sun
2007-11-09 10:50 <DIR> d-------- C:\Program Files\Kazaa
2007-11-09 02:05 85,056 --a------ C:\WINDOWS\system32\pyrednnf.dll
2007-11-09 02:03 79,424 --a------ C:\WINDOWS\system32\dundpjel.dll
2007-11-09 02:02 71,232 --a------ C:\WINDOWS\system32\looqqriy.exe
2007-11-09 01:31 213,504 -r-hs---- C:\WINDOWS\trkwksvc.exe
2007-11-08 20:03 36,352 --a------ C:\WINDOWS\system32\tuvwvvw.dll
2007-11-08 20:03 36,352 --a------ C:\WINDOWS\system32\ddcyaay.dll
2007-11-08 20:03 35,840 --a------ C:\WINDOWS\system32\pmnolki.dll
2007-11-08 20:03 35,840 --a------ C:\WINDOWS\system32\hgggdcy.dll
2007-11-08 20:02 36,352 --a------ C:\WINDOWS\system32\qomjhef.dll
2007-11-08 20:02 36,352 --a------ C:\WINDOWS\system32\fccdbyv.dll
2007-11-08 20:02 35,840 --a------ C:\WINDOWS\system32\opnmjhh.dll
2007-11-08 20:02 35,840 --a------ C:\WINDOWS\system32\ljjjife.dll
2007-11-08 20:01 36,352 --a------ C:\WINDOWS\system32\iifedde.dll
2007-11-08 20:01 36,352 --a------ C:\WINDOWS\system32\awtrrsq.dll
2007-11-08 20:01 35,840 --a------ C:\WINDOWS\system32\rqrqrqr.dll
2007-11-08 20:01 35,840 --a------ C:\WINDOWS\system32\hggeddb.dll
2007-11-08 13:54 <DIR> d-------- C:\WINDOWS\sdir
2007-11-08 13:54 36,352 --a------ C:\WINDOWS\system32\nnnkjif.dll
2007-11-08 13:54 35,840 --a------ C:\WINDOWS\system32\nnnolig.dll
2007-11-08 10:32 <DIR> d-------- C:\Program Files\PHM
2007-11-08 03:57 <DIR> d-------- C:\WINDOWS\system32\RMBin
2007-11-08 03:57 <DIR> d-------- C:\Program Files\Aplus Video Convertor
2007-11-08 03:21 <DIR> d-------- C:\Program Files\pqDVD
2007-11-08 02:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-03 03:00 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-03 03:00 <DIR> d-------- C:\Program Files\Common Files\Real
2007-11-03 02:59 <DIR> d-------- C:\Program Files\Real
2007-11-01 10:40 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\AdobeUM
2007-11-01 09:12 <DIR> d-------- C:\Documents and Settings\sally\Application Data\Ahead
2007-10-31 12:47 <DIR> d-------- C:\Documents and Settings\nancy\Application Data\Skype
2007-10-31 11:16 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-31 10:24 <DIR> d-------- C:\Documents and Settings\nancy\Application Data\MSN6
2007-10-30 15:25 <DIR> d---s---- C:\Documents and Settings\nancy\UserData
2007-10-29 23:09 <DIR> d-------- C:\Documents and Settings\nancy\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 04:03 6,473 --sha-w C:\windows\system32\uttss.bak1
2007-09-28 10:07 3,596,288 ----a-w C:\windows\system32\qt-dx331.dll
2007-09-28 10:05 81,920 ----a-w C:\windows\system32\dpl100.dll
2007-09-28 10:05 739,840 ----a-w C:\windows\system32\divx.dll
2007-09-24 08:22 295,161 ----a-w C:\PlayerHelper.dll
2007-09-04 10:56 164,352 ----a-w C:\windows\system32\unrar.dll
2007-08-15 04:24 90,112 ----a-w C:\XmvSource.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-08_13.27.12.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-11 14:03:26 53,797 ----a-w C:\windows\sdir\helper.exe
+ 2007-11-09 10:07:36 59,392 ----a-w C:\windows\sdir\lc.exe
+ 2007-11-11 14:09:48 58,368 ------w C:\windows\sdir\relpk.exe
+ 2007-11-12 16:10:58 59,392 ----a-w C:\windows\sdir\zm.exe
- 2007-11-17 23:46:36 16,384 ----a-w C:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-08 18:01:59 16,384 ----a-w C:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-11-17 23:46:36 32,768 ----a-w C:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-08 18:01:59 32,768 ----a-w C:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-17 23:46:36 32,768 ----a-w C:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-08 18:01:59 32,768 ----a-w C:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E794189-7575-4306-8F49-CCDD291A59CD}]
2007-11-08 13:54 35840 --a------ C:\windows\system32\nnnolig.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38261512-E22E-4C78-BAD6-4D730ADF1D2E}]
C:\windows\System32\ssttu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73659a65-36dd-4e59-8a0a-ec13acb15252}]
2007-11-09 02:03 79424 --a------ C:\windows\System32\dundpjel.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Thunder"="C:\Program Files\Thunder Network\Thunder\Thunder.exe" [2007-07-30 19:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59]
"Advanced DHTML Enable"="C:\windows\sdir\relpk.exe" [2007-11-11 22:09]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2000-11-12 00:52]
"e40ae455"="C:\windows\System32\pyrednnf.dll" [2007-11-09 02:06]
"combofix"="C:\windows\system32\cmd.exe" [2001-08-23 20:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\System32\ctfmon.exe" [2002-08-29 03:41]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ISW"="C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{1E794189-7575-4306-8F49-CCDD291A59CD}"= C:\windows\system32\nnnolig.dll [2007-11-08 13:54 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnolig]
nnnolig.dll 2007-11-08 13:54 35840 C:\WINDOWS\system32\nnnolig.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\windows\\System32\\ssttu

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Thomas.AMD^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Thomas.AMD\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
C:\Program Files\SpyNoMore\SNM.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)

R2 NET Service;NET Service;"C:\windows\trkwksvc.exe"
S2 cd3h2q0m1h2;cd3h2q0m1h2;"C:\windows\system32\svshost.exe"

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 12:07:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\trkwksvc.exe [640] 0x848E71B8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 12:07:26 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-08 13:27
C:\ComboFix3.txt ... 2007-11-17 15:00
.
--- E O F ---
SnoopDogg
Regular Member
 
Posts: 61
Joined: March 28th, 2007, 11:41 pm
Location: >_<

Re: Pls help me !! Thx...

Unread postby random/random » November 19th, 2007, 2:49 pm

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Pls help me !! Thx...

Unread postby SnoopDogg » November 24th, 2007, 2:58 am

FIrst of all very sorry for the late reply... i was buzy... Vundo scanned nothing...btw it was my bro who reinstalled windows before i scanned

VundoFix V6.6.2

Checking Java version...

Scan started at 12:57:20 PM 11/24/2007

Listing files found while scanning....

No infected files were found.
SnoopDogg
Regular Member
 
Posts: 61
Joined: March 28th, 2007, 11:41 pm
Location: >_<

Re: Pls help me !! Thx...

Unread postby random/random » November 24th, 2007, 7:49 am

Please post a new HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Pls help me !! Thx...

Unread postby SnoopDogg » November 25th, 2007, 4:20 am

Sorry...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:11 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwa ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2BAEB34-DFDD-4BF9-8F2E-ADC85CF466BF}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

--
End of file - 4790 bytes
SnoopDogg
Regular Member
 
Posts: 61
Joined: March 28th, 2007, 11:41 pm
Location: >_<
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware