Jump to content


Photo

Bad Image problem!{Resolved}


  • This topic is locked This topic is locked
17 replies to this topic

#1 Cazoy

Cazoy

    Member

  • Members
  • 15 posts

Posted 18 January 2009 - 01:10 PM

Hey!
Some time ago i had problems with spyware, so i used many different anti-spyware and antivirus programs. And some how i managed to control this, but now every time if i start my computer or use SpyBot, i get this Bad Image errors.
Now i write what they exacly show me:(its like bunch of errors at this exact order)
1.C:\WINDOWS\system32\950D1600.dll
2.C:\WINDOWS\system32\F8E07BB2.dll
3.C:\WINDOWS\system32\AD794E6B.dll
4.C:\WINDOWS\system32\A1A6BC2E.dll
5.C:\WINDOWS\system32\08223B03.dll
6.C:\WINDOWS\system32\BA7EDF54.dll
7.C:\WINDOWS\system32\B8E83D3C.dll

Ill post here what HijcakThis log showed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:39:35, on 18.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Atheros WLAN Client\ACU.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros WLAN Client\ACU.exe -nogui
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: 01AFE3DC.dll,acaptuser32.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7933 bytes

Im really thankful if somebody can make those annoying errors dissapear.

#2 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,094 posts
  • Gender:Female


Posted 18 January 2009 - 01:51 PM

Hi and welcome


Download Combofix from any of the links below. Save it to your desktop

Link 1
Link 2
Link 3


--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

** Please Note:
At times ComboFix may appear to stall, please be patient.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#3 Cazoy

Cazoy

    Member

  • Members
  • 15 posts

Posted 18 January 2009 - 02:40 PM

ComboFix:

ComboFix 09-01-17.04 - User 2009-01-18 21:28:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.270 [GMT 2:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: Sygate Personal Firewall *enabled*
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\AcSpecf.sdb
c:\windows\system32\08223B03.cfg
c:\windows\system32\08223B03.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\201476D0.cfg
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\34A25F04.cfg
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\56BC86C7.cfg
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\8566F82E.cfg
c:\windows\system32\950D1600.cfg
c:\windows\system32\950D1600.dll
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\A1A6BC2E.dll
c:\windows\system32\A55F538E.cfg
c:\windows\system32\advapi32new.dll
c:\windows\system32\apphelpnew.dll
c:\windows\system32\avrt.dll
c:\windows\system32\B3721C07.cfg
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\B8E83D3C.dll
c:\windows\system32\BA7EDF54.cfg
c:\windows\system32\BA7EDF54.dll
c:\windows\system32\crypt32new.dll
c:\windows\system32\d3d10core.dll
c:\windows\system32\D3DX10d_39.dll
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DFB3DAC5.cfg
c:\windows\system32\DFEC5CB7.cfg
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\dwmapi.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\E0D39066.cfg
c:\windows\system32\E1D19FCC.cfg
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\kernel32new.dll
c:\windows\system32\msvcrtnew.dll
c:\windows\system32\ntdsapinew.dll
c:\windows\system32\powrprofnew.dll
c:\windows\system32\secur32new.dll
c:\windows\system32\unxxx.bat
c:\windows\system32\user32new.dll
c:\windows\system32\winstanew.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_B160485
-------\Legacy_D812A079
-------\Service_b160485
-------\Service_d812a079
-------\Service_f35ee9e
-------\Service_HBKernel32


((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-18 19:31 . 2009-01-18 19:31 <DIR> d-------- c:\program files\Trend Micro
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\Microsoft
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\User\Application Data\DAEMON Tools Pro
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-07 21:50 . 2009-01-07 21:50 <DIR> d-------- C:\ProgramData
2009-01-07 21:50 . 2009-01-07 21:50 <DIR> d-------- c:\program files\Electronic Arts
2009-01-07 21:49 . 2009-01-07 21:49 1,108 --a------ c:\windows\system32\ealregsnapshot1.reg
2009-01-07 21:36 . 2009-01-18 16:57 <DIR> d-------- c:\program files\EA Sports
2009-01-02 19:03 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\User\Tracing
2009-01-02 18:55 . 2009-01-02 18:55 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-01-02 18:50 . 2009-01-18 16:53 <DIR> d-------- c:\documents and settings\User\Application Data\vlc
2009-01-02 18:50 . 2009-01-02 18:51 <DIR> d-------- c:\documents and settings\User\Application Data\DAEMON Tools Lite
2008-12-28 23:03 . 2008-12-28 23:03 <DIR> d-------- c:\program files\Microsoft Games
2008-12-23 18:38 . 2009-01-18 16:54 <DIR> d-------- c:\program files\Guitar Pro 5
2008-12-18 14:53 . 2008-03-26 20:49 2,863,616 --a------ c:\windows\system32\drivers\ati2mtag.sys
2008-12-18 14:20 . 2008-12-18 14:20 <DIR> d-------- C:\AMD
2008-12-18 14:03 . 2008-04-22 22:20 1,584,149 --a------ c:\windows\system32\setupapinew.dll
2008-12-18 14:03 . 2006-11-02 12:47 1,162,656 --a------ c:\windows\system32\ntdllnew.dll
2008-12-18 14:03 . 2008-05-04 17:42 789,525 --a------ c:\windows\system32\rpcrt4new.dll
2008-12-18 14:03 . 2007-04-18 02:13 25,037 --a------ c:\windows\system32\Nucleus.dll
2008-12-18 14:03 . 2008-03-09 07:25 236 --ah----- c:\program files\Common Files\dx.reg
2008-12-18 12:55 . 2008-12-18 12:54 728,858 --a------ c:\program files\Common Files\unins000.exe
2008-12-18 12:55 . 2008-12-18 12:55 3,005 --a------ c:\program files\Common Files\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 14:57 --------- d-----w c:\documents and settings\User\Application Data\Microsoft Games
2009-01-18 14:57 --------- d-----w c:\documents and settings\User\Application Data\DAEMON Tools
2009-01-18 14:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-18 14:53 --------- d-----w c:\program files\CCleaner
2009-01-18 14:53 --------- d-----w c:\documents and settings\User\Application Data\vlc
2009-01-18 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 17:01 --------- d-----w c:\program files\Windows Live
2008-12-17 17:53 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-12-17 17:49 --------- d-----w c:\program files\ATI Technologies
2008-12-17 16:58 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-17 16:58 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-02 13:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-02 09:56 --------- d-----w c:\program files\ESET
2008-12-02 09:38 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-11-28 06:44 --------- d-----w c:\program files\AVG
2008-11-25 14:43 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-09-20 21:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"nodenable"="c:\program files\eset\nodenable.exe" [2008-09-22 326829]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-11-13 2105176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]
"ACU"="c:\program files\Atheros WLAN Client\ACU.exe" [2006-02-06 307200]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [2007-09-05 470112]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
S3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2006-03-29 27648]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]
S4 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
S4 SessionLauncher;SessionLauncher;c:\docume~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2009-01-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-448539723-1801674531-1003.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-17 16:39]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{AD794E6B-90B7-4F9D-8FD6-0C16E3298FF2} - AD794E6B.dll
ShellExecuteHooks-{B8E83D3C-9466-4091-9AD1-1F89418A6EB7} - B8E83D3C.dll
ShellExecuteHooks-{E1D19FCC-4777-4D71-B863-6A0A5B4E59BC} - E1D19FCC.dll
ShellExecuteHooks-{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96} - 4FBFD5A4.dll
ShellExecuteHooks-{93DEE065-EC9B-4505-ADD3-19880AD3C38F} - 93DEE065.dll
ShellExecuteHooks-{29EA67E0-9EE5-4D1A-A056-5B7BDAC4CF97} - 29EA67E0.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.neti.ee/
uInternet Connection Wizard,ShellNext = iexplore
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 21:33:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-448539723-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:1f,d7,98,61,6d,fd,af,81,00,3d,24,dd,ef,54,4c,ea,78,22,ea,6d,a8,
3d,b2,2c,73,5b,2e,6c,ae,c0,68,ea,44,9f,00,86,3e,96,dc,0d,40,34,3d,e0,ad,fb,\
"rkeysecu"=hex:37,ac,d3,fe,09,f0,13,51,16,f8,ab,b8,8f,c3,eb,57
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Sygate\SPF\Smc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-01-18 21:35:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-18 19:35:57

Pre-Run: 22 768 660 480 bytes free
Post-Run: 22,655,262,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

225 --- E O F --- 2009-01-17 17:32:10

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:47, on 18.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros WLAN Client\ACU.exe -nogui
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7530 bytes

#4 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,094 posts
  • Gender:Female


Posted 18 January 2009 - 04:15 PM

Welcome back


Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky...apter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition
    files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobuc...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%
.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


How's the computer now?
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#5 Cazoy

Cazoy

    Member

  • Members
  • 15 posts

Posted 19 January 2009 - 07:39 AM

Right now my computer seems to working fine, no bad image errors after i installed the ComboFix. Today i have plenty of free time to perform these actions what you suggested.

#6 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,094 posts
  • Gender:Female


Posted 19 January 2009 - 08:54 AM

:tup:
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#7 Cazoy

Cazoy

    Member

  • Members
  • 15 posts

Posted 19 January 2009 - 10:10 AM

[/b]Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, January 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 19, 2009 11:28:44
Records in database: 1647067
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 74804
Threat name: 30
Infected objects: 43
Suspicious objects: 0
Duration of the scan: 01:42:56


File name / Threat name / Threats count
C:\DOCUME~1\User\LOCALS~1\Temp\wmsetup.dll/C:\DOCUME~1\User\LOCALS~1\Temp\wmsetup.dll Infected: Trojan-Downloader.Win32.Murlo.nn 2
C:\WINDOWS\linkinfo.dll/C:\WINDOWS\linkinfo.dll Infected: Trojan-Downloader.Win32.Agent.bsi 1
C:\Program Files\Messenger\msgmr.dll/C:\Program Files\Messenger\msgmr.dll Infected: Trojan-Downloader.Win32.Agent.yuv 2
C:\WINDOWS\Fonts\Framdee.ttf/C:\WINDOWS\Fonts\Framdee.ttf Infected: Trojan-Downloader.Win32.Small.yvn 2
C:\Documents and Settings\User\Local Settings\temp\eee.cab Infected: Trojan-Downloader.Win32.Small.aacq 1
C:\Documents and Settings\User\Local Settings\temp\wmsetup.dll Infected: Trojan-Downloader.Win32.Murlo.nn 1
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\a007[1].cab Infected: Trojan-Dropper.Win32.Small.axv 1
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\update[1].cab Infected: Trojan-Downloader.Win32.Small.aacq 1
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\BGG3E2T8\gbu[2].gif Infected: Trojan-Downloader.Win32.Murlo.nn 1
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\a006[1].cab Infected: Trojan-Downloader.Win32.Agent.wxq 1
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\eee[1].cab Infected: Trojan-Downloader.Win32.Small.aacq 1
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\FF933K62\update[1].gif Infected: Trojan-Downloader.Win32.Small.aacq 1
C:\WINDOWS\system32\92.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ultz 1
C:\WINDOWS\temp\NOD102.tmp Infected: Trojan-Downloader.Win32.Murlo.nn 1
C:\WINDOWS\temp\NOD105.tmp Infected: Trojan-Downloader.Win32.Agent.bsi 1
C:\WINDOWS\temp\NOD106.tmp Infected: Trojan-GameThief.Win32.WOW.ekr 1
C:\WINDOWS\temp\NOD107.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ulur 1
C:\WINDOWS\temp\NOD108.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uhce 1
C:\WINDOWS\temp\NOD109.tmp Infected: Trojan-Downloader.Win32.Small.yvn 1
C:\WINDOWS\temp\NOD10A.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ubsp 1
C:\WINDOWS\temp\NOD10C.tmp Infected: Trojan.Win32.SmallGame.cb 1
C:\WINDOWS\temp\NOD10E.tmp Infected: Trojan.Win32.SmallGame.bp 1
C:\WINDOWS\temp\NOD10F.tmp Infected: Trojan.Win32.SmallGame.bz 1
C:\WINDOWS\temp\NODC7.tmp Infected: Trojan.Win32.Qhost.kmd 1
C:\WINDOWS\temp\NODC9.tmp Infected: Trojan.Win32.Agent.amol 1
C:\WINDOWS\temp\NODCC.tmp Infected: Trojan-Downloader.Win32.Agent.yuv 1
C:\WINDOWS\temp\NODD1.tmp Infected: not-a-virus:AdWare.Win32.BHO.dai 1
C:\WINDOWS\temp\NODD3.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ukzl 1
C:\WINDOWS\temp\NODD4.tmp Infected: Trojan-GameThief.Win32.OnLineGames.bkpd 1
C:\WINDOWS\temp\NODD5.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uiwr 1
C:\WINDOWS\temp\NODD6.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uhbb 1
C:\WINDOWS\temp\NODDC.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ultz 1
C:\WINDOWS\temp\NODDF.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uiwo 1
C:\WINDOWS\temp\NODE0.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ujrl 1
C:\WINDOWS\temp\NODE3.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uhvp 1
C:\WINDOWS\temp\NODE7.tmp Infected: Trojan.Win32.Agent.bgnk 1
C:\WINDOWS\temp\NODEA.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ulfx 1
C:\WINDOWS\temp\NODF0.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ulja 1
C:\WINDOWS\temp\NODF7.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ujug 1
C:\WINDOWS\temp\NODF8.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ulvo 1

The selected area was scanned.


HijackThis:[b]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:05:10, on 19.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Atheros WLAN Client\ACU.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: 127.1 localhost
O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn
O1 - Hosts: 127.1 61.134.37.12
O1 - Hosts: 127.1 ko.ssa387.cn
O1 - Hosts: 127.1 www.ndxrr.cn
O1 - Hosts: 127.1 12345.ssa387.cn
O1 - Hosts: 127.1 lihai88.com
O1 - Hosts: 127.1 wwwwhf.cn
O1 - Hosts: 127.1 a89369093.sq.u9idc.com
O1 - Hosts: 127.1 www.mmd178.cn
O1 - Hosts: 127.1 www.178mmd.cn
O1 - Hosts: 127.1 www.wenzhuoyyy.cn
O1 - Hosts: 127.1 tw.lovechina.tw.cn
O1 - Hosts: 127.1 222.189.238.151
O1 - Hosts: 127.1 222.179.185.78
O1 - Hosts: 127.1 www.wq9q.cn
O1 - Hosts: 127.1 593ffcey.cn
O1 - Hosts: 127.1 set.yay520.cn
O1 - Hosts: 127.1 tenmoc999.cn
O1 - Hosts: 127.1 lihai88.com
O1 - Hosts: 127.1 121.kcuf-01.com
O1 - Hosts: 127.1 www.ew1q.cn
O1 - Hosts: 127.1 www.b3sk.cn
O1 - Hosts: 127.1 up.bizmd.cn
O1 - Hosts: 127.1 www.ms2a.cn
O1 - Hosts: 127.1 www.wo9188.cn
O1 - Hosts: 127.1 www.fgetchr.cn
O1 - Hosts: 127.1 www.e6zx.cn
O1 - Hosts: 127.1 hai067.com
O1 - Hosts: 127.1 hai088.com
O1 - Hosts: 127.1 778899.jd8j.cn
O1 - Hosts: 127.1 sql.78-11.net
O1 - Hosts: 127.1 www.bbbirdy.com
O1 - Hosts: 127.1 www.s1na1.com.cn
O1 - Hosts: 127.1 www.dianyinjzd.cn
O1 - Hosts: 127.1 www.dj5201314dj.com
O1 - Hosts: 127.1 max-2.cn
O1 - Hosts: 127.1 a.asp-o.cn
O1 - Hosts: 127.1 b.asp-o.cn
O1 - Hosts: 127.1 c.asp-o.cn
O1 - Hosts: 127.1 x.kprobb.cn
O1 - Hosts: 127.1 js.php-k.cn
O1 - Hosts: 127.1 max-1.cn
O1 - Hosts: 127.1 max-3.cn
O1 - Hosts: 127.1 max-4.cn
O1 - Hosts: 127.1 max-5.cn
O1 - Hosts: 127.1 max-6.cn
O1 - Hosts: 127.1 max-7.cn
O1 - Hosts: 127.1 max-8.cn
O1 - Hosts: 127.1 max-9.cn
O1 - Hosts: 127.1 max-10.cn
O1 - Hosts: 127.1 max-11.cn
O1 - Hosts: 127.1 max-12.cn
O1 - Hosts: 127.1 twocannon250.com.cn
O1 - Hosts: 127.1 www.133mm.cn
O1 - Hosts: 127.1 www.51vmm.cn
O1 - Hosts: 127.1 www.7mmoo.cn
O1 - Hosts: 127.1 www.99mmm.org.cn
O1 - Hosts: 127.1 www.hdec.cn
O1 - Hosts: 127.1 www.picc18.com
O1 - Hosts: 127.1 www.kissdh.com
O1 - Hosts: 127.1 www.x7v.cn
O1 - Hosts: 127.1 biqulu.cn
O1 - Hosts: 127.1 2008.qq2006.com.cn
O1 - Hosts: 127.1 giaitrisex.com
O1 - Hosts: 127.1 www.giaitrisex.com
O1 - Hosts: 127.1 www.giaitrituoitre.net
O1 - Hosts: 127.1 mekiep.com
O1 - Hosts: 127.1 www.1sex1day.com
O1 - Hosts: 127.1 a.9ymm.com
O1 - Hosts: 127.1 bobo.7wyt.com
O1 - Hosts: 127.1 www.591caobi.cn
O1 - Hosts: 127.1 www.hrz008.cn
O1 - Hosts: 127.1 asp-15.cn
O1 - Hosts: 127.1 asp-12.cn
O1 - Hosts: 127.1 www.jb88.net
O1 - Hosts: 127.1 6.a88a.com
O1 - Hosts: 127.1 w.b2c3.cn
O1 - Hosts: 127.1 m.c5x8.com
O1 - Hosts: 127.1 www.518sfw.cn
O1 - Hosts: 127.1 www.jjyyzmj.cn
O1 - Hosts: 127.1 u.cnmrx.net
O1 - Hosts: 127.1 duowan.czm.cn
O1 - Hosts: 127.1 xccxcxcxcxcx.cn
O1 - Hosts: 127.1 google-yahoo.org.cn
O1 - Hosts: 127.1 tudou-net.org.cn
O1 - Hosts: 127.1 downloads.zango.com
O1 - Hosts: 127.1 ftp.surfnet.nl
O1 - Hosts: 127.1 bis.180solutions.com
O1 - Hosts: 127.1 installs.hotbar.com
O1 - Hosts: 127.1 www.hbdownloads.com
O1 - Hosts: 127.1 static.zangocash.com
O1 - Hosts: 127.1 www.qq-songli.cn
O1 - Hosts: 127.1 aa.9234.net
O1 - Hosts: 127.1 www.97love.info
O1 - Hosts: 127.1 97love.info
O1 - Hosts: 127.1 www.zyzhuiku.cn
O1 - Hosts: 127.1 zyzhuiku.cn
O1 - Hosts: 127.1 www.lang18.com
O1 - Hosts: 127.1 lang18.com
O1 - Hosts: 127.1 sao6666.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros WLAN Client\ACU.exe -nogui
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: HBmhly.dll,HBCHIBI.dll,eclnnhfj.dll,lclmfcod.dll,knnjobkh.dll,gedhmhga.dll,mkcamlbl.dll,bmhclfad.dll,bcjmfkjd.dll,blhekilo.dll,djbgbjmh.dll,HBSHQ.dll,ahejnckg.dll,fmhgfddc.dll,HBWULIN2.dll,deklpmmd.dll,iehpphgi.dll,jnlbcafg.dll,nljhfjop.dll,jkhaneli.dll,ikgkljlb.dll,cghoicnn.dll
O21 - SSODL: EC5771F3 - {EC5771F3-BE0B-442F-9662-A4DE7598C5E0} - C:\WINDOWS\system32\eclnnhfj.dll (file missing)
O21 - SSODL: B51E4258 - {B51E4258-1E43-45A8-8D8F-9C7178BB3423} - C:\WINDOWS\system32\blhekilo.dll (file missing)
O21 - SSODL: BC36F43D - {BC36F43D-5985-4D88-966C-97507E1A5339} - C:\WINDOWS\system32\bcjmfkjd.dll (file missing)
O21 - SSODL: 0ED1610A - {0ED1610A-3050-4A92-A789-2BEE0A44CC4F} - C:\WINDOWS\system32\gedhmhga.dll (file missing)
O21 - SSODL: 47738B41 - {47738B41-069A-4FA7-AAF6-C16AC67952AF} - C:\WINDOWS\system32\knnjobkh.dll (file missing)
O21 - SSODL: 64CA65B5 - {64CA65B5-ECC0-4C66-BDFE-32B5C12E6CE9} - C:\WINDOWS\system32\mkcamlbl.dll (file missing)
O21 - SSODL: B61C5FAD - {B61C5FAD-ACEC-4592-8206-A9CECC9B6939} - C:\WINDOWS\system32\bmhclfad.dll (file missing)
O21 - SSODL: 5C56FC8D - {5C56FC8D-EEC4-4925-80C3-A42BAB7D91FA} - C:\WINDOWS\system32\lclmfcod.dll (file missing)
O21 - SSODL: D3B0B361 - {D3B0B361-D6C2-4635-8FDF-8AE0319F52FD} - C:\WINDOWS\system32\djbgbjmh.dll (file missing)
O21 - SSODL: A1E37C40 - {A1E37C40-9D14-4A84-AC05-9A7ADC4BEA87} - C:\WINDOWS\system32\ahejnckg.dll (file missing)
O21 - SSODL: F610FDDC - {F610FDDC-F91E-4702-B317-136D93D65E6C} - C:\WINDOWS\system32\fmhgfddc.dll (file missing)
O21 - SSODL: DE45966D - {DE45966D-246F-4BB2-B911-8BB2413ABBAD} - C:\WINDOWS\system32\deklpmmd.dll (file missing)
O21 - SSODL: 2E199102 - {2E199102-3461-4A5A-B40D-00F008C77A04} - C:\WINDOWS\system32\iehpphgi.dll (file missing)
O21 - SSODL: 375BCAF0 - {375BCAF0-82A2-4CF5-93E6-2A357B29F688} - C:\WINDOWS\system32\jnlbcafg.dll (file missing)
O21 - SSODL: 7531F389 - {7531F389-1A52-49A0-9F41-325528A4E1CF} - C:\WINDOWS\system32\nljhfjop.dll (file missing)
O21 - SSODL: 341A7E52 - {341A7E52-1C86-4465-8245-EB43932ACF07} - C:\WINDOWS\system32\jkhaneli.dll (file missing)
O21 - SSODL: 2404535B - {2404535B-9305-4837-AC63-AF8DE5A8D94B} - C:\WINDOWS\system32\ikgkljlb.dll (file missing)
O21 - SSODL: C0182C77 - {C0182C77-4467-413A-AD71-5782D8F491AC} - C:\WINDOWS\system32\cghoicnn.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 13919 bytes

#8 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,094 posts
  • Gender:Female


Posted 19 January 2009 - 12:29 PM

Welcome back

Download the HostsXpert 4.3 - Hosts File Manager.

http://www.funkytoad...=...=13&Itemid=

* Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
* Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
* Click "Make Hosts Writable?" in the upper corner (If available).

* Next Click Restore Microsoft's Hosts files and then click OK.
* Click the X to exit the program.
* Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Tutorial, go here:
http://i28.photobuck...HostsXpert4.jpg





Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
(If Spybot should give you any problems just uninstall it for now)
# Open Spybot Search & Destroy.
# In the Mode menu click "Advanced mode" if not already selected.
# Choose "Yes" at the Warning prompt.
# Expand the "Tools" menu.
# Click "Resident".
# Uncheck the "Resident "TeaTimer" (Protection of overall system settings)
active." box.
# In the File menu click "Exit" to exit Spybot Search & Destroy.

* See this link for a tutorial http://russelltexas....re/teatimer.htm






Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O1 - Hosts: 127.1 localhost
O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn
O1 - Hosts: 127.1 61.134.37.12
O1 - Hosts: 127.1 ko.ssa387.cn
O1 - Hosts: 127.1 www.ndxrr.cn
O1 - Hosts: 127.1 12345.ssa387.cn
O1 - Hosts: 127.1 lihai88.com
O1 - Hosts: 127.1 wwwwhf.cn
O1 - Hosts: 127.1 a89369093.sq.u9idc.com
O1 - Hosts: 127.1 www.mmd178.cn
O1 - Hosts: 127.1 www.178mmd.cn
O1 - Hosts: 127.1 www.wenzhuoyyy.cn
O1 - Hosts: 127.1 tw.lovechina.tw.cn
O1 - Hosts: 127.1 222.189.238.151
O1 - Hosts: 127.1 222.179.185.78
O1 - Hosts: 127.1 www.wq9q.cn
O1 - Hosts: 127.1 593ffcey.cn
O1 - Hosts: 127.1 set.yay520.cn
O1 - Hosts: 127.1 tenmoc999.cn
O1 - Hosts: 127.1 lihai88.com
O1 - Hosts: 127.1 121.kcuf-01.com
O1 - Hosts: 127.1 www.ew1q.cn
O1 - Hosts: 127.1 www.b3sk.cn
O1 - Hosts: 127.1 up.bizmd.cn
O1 - Hosts: 127.1 www.ms2a.cn
O1 - Hosts: 127.1 www.wo9188.cn
O1 - Hosts: 127.1 www.fgetchr.cn
O1 - Hosts: 127.1 www.e6zx.cn
O1 - Hosts: 127.1 hai067.com
O1 - Hosts: 127.1 hai088.com
O1 - Hosts: 127.1 778899.jd8j.cn
O1 - Hosts: 127.1 sql.78-11.net
O1 - Hosts: 127.1 www.bbbirdy.com
O1 - Hosts: 127.1 www.s1na1.com.cn
O1 - Hosts: 127.1 www.dianyinjzd.cn
O1 - Hosts: 127.1 www.dj5201314dj.com
O1 - Hosts: 127.1 max-2.cn
O1 - Hosts: 127.1 a.asp-o.cn
O1 - Hosts: 127.1 b.asp-o.cn
O1 - Hosts: 127.1 c.asp-o.cn
O1 - Hosts: 127.1 x.kprobb.cn
O1 - Hosts: 127.1 js.php-k.cn
O1 - Hosts: 127.1 max-1.cn
O1 - Hosts: 127.1 max-3.cn
O1 - Hosts: 127.1 max-4.cn
O1 - Hosts: 127.1 max-5.cn
O1 - Hosts: 127.1 max-6.cn
O1 - Hosts: 127.1 max-7.cn
O1 - Hosts: 127.1 max-8.cn
O1 - Hosts: 127.1 max-9.cn
O1 - Hosts: 127.1 max-10.cn
O1 - Hosts: 127.1 max-11.cn
O1 - Hosts: 127.1 max-12.cn
O1 - Hosts: 127.1 twocannon250.com.cn
O1 - Hosts: 127.1 www.133mm.cn
O1 - Hosts: 127.1 www.51vmm.cn
O1 - Hosts: 127.1 www.7mmoo.cn
O1 - Hosts: 127.1 www.99mmm.org.cn
O1 - Hosts: 127.1 www.hdec.cn
O1 - Hosts: 127.1 www.picc18.com
O1 - Hosts: 127.1 www.kissdh.com
O1 - Hosts: 127.1 www.x7v.cn
O1 - Hosts: 127.1 biqulu.cn
O1 - Hosts: 127.1 2008.qq2006.com.cn
O1 - Hosts: 127.1 giaitrisex.com
O1 - Hosts: 127.1 www.giaitrisex.com
O1 - Hosts: 127.1 www.giaitrituoitre.net
O1 - Hosts: 127.1 mekiep.com
O1 - Hosts: 127.1 www.1sex1day.com
O1 - Hosts: 127.1 a.9ymm.com
O1 - Hosts: 127.1 bobo.7wyt.com
O1 - Hosts: 127.1 www.591caobi.cn
O1 - Hosts: 127.1 www.hrz008.cn
O1 - Hosts: 127.1 asp-15.cn
O1 - Hosts: 127.1 asp-12.cn
O1 - Hosts: 127.1 www.jb88.net
O1 - Hosts: 127.1 6.a88a.com
O1 - Hosts: 127.1 w.b2c3.cn
O1 - Hosts: 127.1 m.c5x8.com
O1 - Hosts: 127.1 www.518sfw.cn
O1 - Hosts: 127.1 www.jjyyzmj.cn
O1 - Hosts: 127.1 u.cnmrx.net
O1 - Hosts: 127.1 duowan.czm.cn
O1 - Hosts: 127.1 xccxcxcxcxcx.cn
O1 - Hosts: 127.1 google-yahoo.org.cn
O1 - Hosts: 127.1 tudou-net.org.cn
O1 - Hosts: 127.1 downloads.zango.com
O1 - Hosts: 127.1 ftp.surfnet.nl
O1 - Hosts: 127.1 bis.180solutions.com
O1 - Hosts: 127.1 installs.hotbar.com
O1 - Hosts: 127.1 www.hbdownloads.com
O1 - Hosts: 127.1 static.zangocash.com
O1 - Hosts: 127.1 www.qq-songli.cn
O1 - Hosts: 127.1 aa.9234.net
O1 - Hosts: 127.1 www.97love.info
O1 - Hosts: 127.1 97love.info
O1 - Hosts: 127.1 www.zyzhuiku.cn
O1 - Hosts: 127.1 zyzhuiku.cn
O1 - Hosts: 127.1 www.lang18.com
O1 - Hosts: 127.1 lang18.com
O1 - Hosts: 127.1 sao6666.com

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)

O20 - AppInit_DLLs: HBmhly.dll,HBCHIBI.dll,eclnnhfj.dll,lclmfcod.dll,knnjobkh.dll,gedhmhga.dll,mkcamlbl.dll,bmhclfad.dll,bcjmfkjd.dll,blhekilo.dll,djbgbjmh.dll,
HBSHQ.dll,ahejnckg.dll,fmhgfddc.dll,HBWULIN2.dll,deklpmmd.dll,iehpphgi.dll,jnlbcafg.dll,nljhfjop.dll,jkhaneli.dll,ikgkljlb.dll,cghoicnn.dll

O21 - SSODL: EC5771F3 - {EC5771F3-BE0B-442F-9662-A4DE7598C5E0} - C:\WINDOWS\system32\eclnnhfj.dll (file missing)
O21 - SSODL: B51E4258 - {B51E4258-1E43-45A8-8D8F-9C7178BB3423} - C:\WINDOWS\system32\blhekilo.dll (file missing)
O21 - SSODL: BC36F43D - {BC36F43D-5985-4D88-966C-97507E1A5339} - C:\WINDOWS\system32\bcjmfkjd.dll (file missing)
O21 - SSODL: 0ED1610A - {0ED1610A-3050-4A92-A789-2BEE0A44CC4F} - C:\WINDOWS\system32\gedhmhga.dll (file missing)
O21 - SSODL: 47738B41 - {47738B41-069A-4FA7-AAF6-C16AC67952AF} - C:\WINDOWS\system32\knnjobkh.dll (file missing)
O21 - SSODL: 64CA65B5 - {64CA65B5-ECC0-4C66-BDFE-32B5C12E6CE9} - C:\WINDOWS\system32\mkcamlbl.dll (file missing)
O21 - SSODL: B61C5FAD - {B61C5FAD-ACEC-4592-8206-A9CECC9B6939} - C:\WINDOWS\system32\bmhclfad.dll (file missing)
O21 - SSODL: 5C56FC8D - {5C56FC8D-EEC4-4925-80C3-A42BAB7D91FA} - C:\WINDOWS\system32\lclmfcod.dll (file missing)
O21 - SSODL: D3B0B361 - {D3B0B361-D6C2-4635-8FDF-8AE0319F52FD} - C:\WINDOWS\system32\djbgbjmh.dll (file missing)
O21 - SSODL: A1E37C40 - {A1E37C40-9D14-4A84-AC05-9A7ADC4BEA87} - C:\WINDOWS\system32\ahejnckg.dll (file missing)
O21 - SSODL: F610FDDC - {F610FDDC-F91E-4702-B317-136D93D65E6C} - C:\WINDOWS\system32\fmhgfddc.dll (file missing)
O21 - SSODL: DE45966D - {DE45966D-246F-4BB2-B911-8BB2413ABBAD} - C:\WINDOWS\system32\deklpmmd.dll (file missing)
O21 - SSODL: 2E199102 - {2E199102-3461-4A5A-B40D-00F008C77A04} - C:\WINDOWS\system32\iehpphgi.dll (file missing)
O21 - SSODL: 375BCAF0 - {375BCAF0-82A2-4CF5-93E6-2A357B29F688} - C:\WINDOWS\system32\jnlbcafg.dll (file missing)
O21 - SSODL: 7531F389 - {7531F389-1A52-49A0-9F41-325528A4E1CF} - C:\WINDOWS\system32\nljhfjop.dll (file missing)
O21 - SSODL: 341A7E52 - {341A7E52-1C86-4465-8245-EB43932ACF07} - C:\WINDOWS\system32\jkhaneli.dll (file missing)
O21 - SSODL: 2404535B - {2404535B-9305-4837-AC63-AF8DE5A8D94B} - C:\WINDOWS\system32\ikgkljlb.dll (file missing)
O21 - SSODL: C0182C77 - {C0182C77-4467-413A-AD71-5782D8F491AC} - C:\WINDOWS\system32\cghoicnn.dll (file missing)




Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.
File:: 
C:\DOCUME~1\User\LOCALS~1\Temp\wmsetup.dll
C:\WINDOWS\linkinfo.dll
C:\Program Files\Messenger\msgmr.dll
C:\WINDOWS\Fonts\Framdee.ttf
C:\Documents and Settings\User\Local Settings\temp\eee.cab
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\a007[1].cab
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\update[1].cab
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\BGG3E2T8\gbu[2].gif
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\a006[1].cab	
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\eee[1].cab
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\FF933K62\update[1].gif
C:\WINDOWS\system32\92.tmp	
C:\WINDOWS\temp\NOD102.tmp	
C:\WINDOWS\temp\NOD105.tmp	
C:\WINDOWS\temp\NOD106.tmp	
C:\WINDOWS\temp\NOD107.tmp	
C:\WINDOWS\temp\NOD108.tmp	
C:\WINDOWS\temp\NOD109.tmp	
C:\WINDOWS\temp\NOD10A.tmp	
C:\WINDOWS\temp\NOD10C.tmp	
C:\WINDOWS\temp\NOD10E.tmp	
C:\WINDOWS\temp\NOD10F.tmp	
C:\WINDOWS\temp\NODC7.tmp	
C:\WINDOWS\temp\NODC9.tmp	
C:\WINDOWS\temp\NODCC.tmp	
C:\WINDOWS\temp\NODD1.tmp	
C:\WINDOWS\temp\NODD3.tmp	
C:\WINDOWS\temp\NODD4.tmp	
C:\WINDOWS\temp\NODD5.tmp	
C:\WINDOWS\temp\NODD6.tmp	
C:\WINDOWS\temp\NODDC.tmp	
C:\WINDOWS\temp\NODDF.tmp	
C:\WINDOWS\temp\NODE0.tmp	
C:\WINDOWS\temp\NODE3.tmp	
C:\WINDOWS\temp\NODE7.tmp	
C:\WINDOWS\temp\NODEA.tmp	
C:\WINDOWS\temp\NODF0.tmp	
C:\WINDOWS\temp\NODF7.tmp	
C:\WINDOWS\temp\NODF8.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HJT log



How's the computer now?
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#9 Cazoy

Cazoy

    Member

  • Members
  • 15 posts

Posted 19 January 2009 - 01:40 PM

Before you write this, my antivirus made a scan and probally erased something : those O1 and O21 were already gone. And ESET Antivirus finds still trojans n`stuff.

ComboFix:

ComboFix 09-01-17.04 - User 2009-01-19 20:20:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.427 [GMT 2:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
FW: Sygate Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\docume~1\User\LOCALS~1\Temp\wmsetup.dll
c:\documents and settings\User\Local Settings\temp\eee.cab
c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\a007[1].cab
c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\update[1].cab
c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\BGG3E2T8\gbu[2].gif
c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\a006[1].cab
c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\eee[1].cab
c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\FF933K62\update[1].gif
c:\program files\Messenger\msgmr.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\linkinfo.dll
c:\windows\system32\92.tmp
c:\windows\temp\NOD102.tmp
c:\windows\temp\NOD105.tmp
c:\windows\temp\NOD106.tmp
c:\windows\temp\NOD107.tmp
c:\windows\temp\NOD108.tmp
c:\windows\temp\NOD109.tmp
c:\windows\temp\NOD10A.tmp
c:\windows\temp\NOD10C.tmp
c:\windows\temp\NOD10E.tmp
c:\windows\temp\NOD10F.tmp
c:\windows\temp\NODC7.tmp
c:\windows\temp\NODC9.tmp
c:\windows\temp\NODCC.tmp
c:\windows\temp\NODD1.tmp
c:\windows\temp\NODD3.tmp
c:\windows\temp\NODD4.tmp
c:\windows\temp\NODD5.tmp
c:\windows\temp\NODD6.tmp
c:\windows\temp\NODDC.tmp
c:\windows\temp\NODDF.tmp
c:\windows\temp\NODE0.tmp
c:\windows\temp\NODE3.tmp
c:\windows\temp\NODE7.tmp
c:\windows\temp\NODEA.tmp
c:\windows\temp\NODF0.tmp
c:\windows\temp\NODF7.tmp
c:\windows\temp\NODF8.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\AcXtrnel.sdb

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NVMINI
-------\Service_nvmini


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-19 20:01 . 2009-01-19 20:01 <DIR> d-------- C:\HostsXpert
2009-01-19 15:31 . 2009-01-19 15:31 20,336 --ahs---- C:\asdfjlasdjf.dll
2009-01-19 14:46 . 2009-01-19 14:46 <DIR> d-------- c:\windows\Sun
2009-01-18 19:31 . 2009-01-18 19:31 <DIR> d-------- c:\program files\Trend Micro
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\Microsoft
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\User\Application Data\DAEMON Tools Pro
2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-07 21:50 . 2009-01-07 21:50 <DIR> d-------- C:\ProgramData
2009-01-07 21:50 . 2009-01-07 21:50 <DIR> d-------- c:\program files\Electronic Arts
2009-01-07 21:49 . 2009-01-07 21:49 1,108 --a------ c:\windows\system32\ealregsnapshot1.reg
2009-01-07 21:36 . 2009-01-18 16:57 <DIR> d-------- c:\program files\EA Sports
2009-01-02 19:03 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\User\Tracing
2009-01-02 18:55 . 2009-01-02 18:55 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-01-02 18:50 . 2009-01-18 16:53 <DIR> d-------- c:\documents and settings\User\Application Data\vlc
2009-01-02 18:50 . 2009-01-02 18:51 <DIR> d-------- c:\documents and settings\User\Application Data\DAEMON Tools Lite
2008-12-28 23:03 . 2008-12-28 23:03 <DIR> d-------- c:\program files\Microsoft Games
2008-12-23 18:38 . 2009-01-18 16:54 <DIR> d-------- c:\program files\Guitar Pro 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 14:57 --------- d-----w c:\documents and settings\User\Application Data\Microsoft Games
2009-01-18 14:57 --------- d-----w c:\documents and settings\User\Application Data\DAEMON Tools
2009-01-18 14:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-18 14:53 --------- d-----w c:\program files\CCleaner
2009-01-18 14:53 --------- d-----w c:\documents and settings\User\Application Data\vlc
2009-01-18 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 17:01 --------- d-----w c:\program files\Windows Live
2008-12-18 10:55 3,005 ----a-w c:\program files\Common Files\unins000.dat
2008-12-18 10:54 728,858 ----a-w c:\program files\Common Files\unins000.exe
2008-12-17 17:53 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-12-17 17:49 --------- d-----w c:\program files\ATI Technologies
2008-12-17 16:58 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-17 16:58 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-02 13:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-02 09:56 --------- d-----w c:\program files\ESET
2008-12-02 09:38 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-11-28 06:44 --------- d-----w c:\program files\AVG
2008-11-25 14:43 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-03-09 05:25 236 ---ha-w c:\program files\Common Files\dx.reg
2008-09-20 21:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"nodenable"="c:\program files\eset\nodenable.exe" [2008-09-22 326829]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]
"ACU"="c:\program files\Atheros WLAN Client\ACU.exe" [2006-02-06 307200]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
S3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2006-03-29 27648]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]
S3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [2007-09-05 470112]
S4 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
S4 SessionLauncher;SessionLauncher;c:\docume~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2009-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-448539723-1801674531-1003.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-17 16:39]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{BC36F43D-5985-4D88-966C-97507E1A5339} - c:\windows\system32\bcjmfkjd.dll
ShellExecuteHooks-{EC5771F3-BE0B-442F-9662-A4DE7598C5E0} - c:\windows\system32\eclnnhfj.dll
ShellExecuteHooks-{B51E4258-1E43-45A8-8D8F-9C7178BB3423} - c:\windows\system32\blhekilo.dll
ShellExecuteHooks-{0ED1610A-3050-4A92-A789-2BEE0A44CC4F} - c:\windows\system32\gedhmhga.dll
ShellExecuteHooks-{47738B41-069A-4FA7-AAF6-C16AC67952AF} - c:\windows\system32\knnjobkh.dll
ShellExecuteHooks-{64CA65B5-ECC0-4C66-BDFE-32B5C12E6CE9} - c:\windows\system32\mkcamlbl.dll
ShellExecuteHooks-{B61C5FAD-ACEC-4592-8206-A9CECC9B6939} - c:\windows\system32\bmhclfad.dll
ShellExecuteHooks-{5C56FC8D-EEC4-4925-80C3-A42BAB7D91FA} - c:\windows\system32\lclmfcod.dll
ShellExecuteHooks-{D3B0B361-D6C2-4635-8FDF-8AE0319F52FD} - c:\windows\system32\djbgbjmh.dll
ShellExecuteHooks-{A1E37C40-9D14-4A84-AC05-9A7ADC4BEA87} - c:\windows\system32\ahejnckg.dll
ShellExecuteHooks-{F610FDDC-F91E-4702-B317-136D93D65E6C} - c:\windows\system32\fmhgfddc.dll
ShellExecuteHooks-{DE45966D-246F-4BB2-B911-8BB2413ABBAD} - c:\windows\system32\deklpmmd.dll
ShellExecuteHooks-{2E199102-3461-4A5A-B40D-00F008C77A04} - c:\windows\system32\iehpphgi.dll
ShellExecuteHooks-{375BCAF0-82A2-4CF5-93E6-2A357B29F688} - c:\windows\system32\jnlbcafg.dll
ShellExecuteHooks-{7531F389-1A52-49A0-9F41-325528A4E1CF} - c:\windows\system32\nljhfjop.dll
ShellExecuteHooks-{341A7E52-1C86-4465-8245-EB43932ACF07} - c:\windows\system32\jkhaneli.dll
ShellExecuteHooks-{2404535B-9305-4837-AC63-AF8DE5A8D94B} - c:\windows\system32\ikgkljlb.dll
ShellExecuteHooks-{C0182C77-4467-413A-AD71-5782D8F491AC} - c:\windows\system32\cghoicnn.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.neti.ee/
uInternet Connection Wizard,ShellNext = iexplore
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 20:25:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-448539723-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:1f,d7,98,61,6d,fd,af,81,00,3d,24,dd,ef,54,4c,ea,78,22,ea,6d,a8,
3d,b2,2c,73,5b,2e,6c,ae,c0,68,ea,44,9f,00,86,3e,96,dc,0d,40,34,3d,e0,ad,fb,\
"rkeysecu"=hex:37,ac,d3,fe,09,f0,13,51,16,f8,ab,b8,8f,c3,eb,57
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Sygate\SPF\Smc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-19 20:28:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 18:28:01
ComboFix2.txt 2009-01-18 19:36:00

Pre-Run: 23 026 323 456 bytes free
Post-Run: 23,067,189,248 bytes free

219 --- E O F --- 2009-01-17 17:32:10

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:33:26, on 19.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros WLAN Client\ACU.exe -nogui
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe /s
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7600 bytes

#10 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,094 posts
  • Gender:Female


Posted 19 January 2009 - 03:04 PM

Go to My Computer->Tools->Folder Options->View tab:
  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)


Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

C:\asdfjlasdjf.dll <--delete this file, then empty your recycle bin.






And ESET Antivirus finds still trojans n`stuff.

Can you tell me where it says it finds infection....file path or folders?

Your logs are looking good, I'm not seeing anything now.

Edited by Juliet, 19 January 2009 - 03:08 PM.

Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#11 Cazoy

Cazoy

    Member

  • Members
  • 15 posts

Posted 19 January 2009 - 04:02 PM

where can i find this folder called Bold, cant find it... :(
I dida all what u told me but still dont find this folder, right now antivirus is norm. no errors.

Edited by Cazoy, 19 January 2009 - 04:34 PM.


#12 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,094 posts
  • Gender:Female


Posted 19 January 2009 - 04:42 PM

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders (that stands for file or folder) in bold

In your case it's just a file.

C:\asdfjlasdjf.dll <--delete this file, then empty your recycle bin.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#13 Cazoy

Cazoy

    Member

  • Members
  • 15 posts

Posted 19 January 2009 - 04:55 PM

Sorry for my missunderstanding, but now its done as you told. What is the next step ?

#14 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,094 posts
  • Gender:Female


Posted 19 January 2009 - 06:40 PM

Well, it looks good on my end, you say antivirus alerts have stopped.




Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
Example below
Posted Image






I think your good to go, good job!




Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Firefox 2.0
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet...owcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsuppo...-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#15 Cazoy

Cazoy

    Member

  • Members
  • 15 posts

Posted 20 January 2009 - 06:45 AM

Cant thank you enough! Good job to you too! But do i keep following programs : ComboFix, HijackThis, HostsXpert. Or can i erase these programs and once again thank you for your help.

#16 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,094 posts
  • Gender:Female


Posted 20 January 2009 - 09:12 AM

If you followed the below, ComboFix will be removed and a clean restore point set.

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
Example below
Posted Image



You can delete HijackThis, HostsXpert ....tho neither one take space or resources.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#17 Cazoy

Cazoy

    Member

  • Members
  • 15 posts

Posted 20 January 2009 - 09:50 AM

Okay, i really appreciate what you have done and once again tnx.

#18 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,094 posts
  • Gender:Female


Posted 20 January 2009 - 09:52 AM

Glad we could help :sparkle:
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users