Jump to content
Sign in to follow this  
Cazoy

Bad Image problem!{Resolved}

Recommended Posts

Cazoy   

Hey!

Some time ago i had problems with spyware, so i used many different anti-spyware and antivirus programs. And some how i managed to control this, but now every time if i start my computer or use SpyBot, i get this Bad Image errors.

Now i write what they exacly show me:(its like bunch of errors at this exact order)

1.C:\WINDOWS\system32\950D1600.dll

2.C:\WINDOWS\system32\F8E07BB2.dll

3.C:\WINDOWS\system32\AD794E6B.dll

4.C:\WINDOWS\system32\A1A6BC2E.dll

5.C:\WINDOWS\system32\08223B03.dll

6.C:\WINDOWS\system32\BA7EDF54.dll

7.C:\WINDOWS\system32\B8E83D3C.dll

 

Ill post here what HijcakThis log showed:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:39:35, on 18.01.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Atheros WLAN Client\ACU.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros WLAN Client\ACU.exe -nogui

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe /s

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: 01AFE3DC.dll,acaptuser32.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe

O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

--

End of file - 7933 bytes

 

Im really thankful if somebody can make those annoying errors dissapear.

Share this post


Link to post
Share on other sites
Juliet   

Hi and welcome

 

 

Download Combofix from any of the links below. Save it to your desktop

 

Link 1

Link 2

Link 3

 

 

--------------------------------------------------------------------

 

Double click on Combo-Fix.exe & follow the prompts.

 

** Please Note:

At times ComboFix may appear to stall, please be patient.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Share this post


Link to post
Share on other sites
Cazoy   

ComboFix:

 

ComboFix 09-01-17.04 - User 2009-01-18 21:28:01.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.270 [GMT 2:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

FW: Sygate Personal Firewall *enabled*

* Created a new restore point

* Resident AV is active

 

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\AppPatch\AcSpecf.sdb

c:\windows\system32\08223B03.cfg

c:\windows\system32\08223B03.dll

c:\windows\system32\122B901E.cfg

c:\windows\system32\201476D0.cfg

c:\windows\system32\2EF0D734.cfg

c:\windows\system32\34A25F04.cfg

c:\windows\system32\4D023DE9.cfg

c:\windows\system32\56BC86C7.cfg

c:\windows\system32\5934EA2B.cfg

c:\windows\system32\66AFCB56.cfg

c:\windows\system32\8566F82E.cfg

c:\windows\system32\950D1600.cfg

c:\windows\system32\950D1600.dll

c:\windows\system32\9CA963CA.cfg

c:\windows\system32\A1A6BC2E.cfg

c:\windows\system32\A1A6BC2E.dll

c:\windows\system32\A55F538E.cfg

c:\windows\system32\advapi32new.dll

c:\windows\system32\apphelpnew.dll

c:\windows\system32\avrt.dll

c:\windows\system32\B3721C07.cfg

c:\windows\system32\B8E83D3C.cfg

c:\windows\system32\B8E83D3C.dll

c:\windows\system32\BA7EDF54.cfg

c:\windows\system32\BA7EDF54.dll

c:\windows\system32\crypt32new.dll

c:\windows\system32\d3d10core.dll

c:\windows\system32\D3DX10d_39.dll

c:\windows\system32\DA63E650.cfg

c:\windows\system32\DFB3DAC5.cfg

c:\windows\system32\DFEC5CB7.cfg

c:\windows\system32\drivers\HBKernel32.sys

c:\windows\system32\dwmapi.dll

c:\windows\system32\dxgi.dll

c:\windows\system32\E0D39066.cfg

c:\windows\system32\E1D19FCC.cfg

c:\windows\system32\F8E07BB2.cfg

c:\windows\system32\kernel32new.dll

c:\windows\system32\msvcrtnew.dll

c:\windows\system32\ntdsapinew.dll

c:\windows\system32\powrprofnew.dll

c:\windows\system32\secur32new.dll

c:\windows\system32\unxxx.bat

c:\windows\system32\user32new.dll

c:\windows\system32\winstanew.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_B160485

-------\Legacy_D812A079

-------\Service_b160485

-------\Service_d812a079

-------\Service_f35ee9e

-------\Service_HBKernel32

 

 

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))

.

 

2009-01-18 19:31 . 2009-01-18 19:31 <DIR> d-------- c:\program files\Trend Micro

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\Windows Live SkyDrive

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\Microsoft

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\DAEMON Tools Lite

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\User\Application Data\DAEMON Tools Pro

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-01-07 21:50 . 2009-01-07 21:50 <DIR> d-------- C:\ProgramData

2009-01-07 21:50 . 2009-01-07 21:50 <DIR> d-------- c:\program files\Electronic Arts

2009-01-07 21:49 . 2009-01-07 21:49 1,108 --a------ c:\windows\system32\ealregsnapshot1.reg

2009-01-07 21:36 . 2009-01-18 16:57 <DIR> d-------- c:\program files\EA Sports

2009-01-02 19:03 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\User\Tracing

2009-01-02 18:55 . 2009-01-02 18:55 <DIR> d-------- c:\program files\Common Files\Windows Live

2009-01-02 18:50 . 2009-01-18 16:53 <DIR> d-------- c:\documents and settings\User\Application Data\vlc

2009-01-02 18:50 . 2009-01-02 18:51 <DIR> d-------- c:\documents and settings\User\Application Data\DAEMON Tools Lite

2008-12-28 23:03 . 2008-12-28 23:03 <DIR> d-------- c:\program files\Microsoft Games

2008-12-23 18:38 . 2009-01-18 16:54 <DIR> d-------- c:\program files\Guitar Pro 5

2008-12-18 14:53 . 2008-03-26 20:49 2,863,616 --a------ c:\windows\system32\drivers\ati2mtag.sys

2008-12-18 14:20 . 2008-12-18 14:20 <DIR> d-------- C:\AMD

2008-12-18 14:03 . 2008-04-22 22:20 1,584,149 --a------ c:\windows\system32\setupapinew.dll

2008-12-18 14:03 . 2006-11-02 12:47 1,162,656 --a------ c:\windows\system32\ntdllnew.dll

2008-12-18 14:03 . 2008-05-04 17:42 789,525 --a------ c:\windows\system32\rpcrt4new.dll

2008-12-18 14:03 . 2007-04-18 02:13 25,037 --a------ c:\windows\system32\Nucleus.dll

2008-12-18 14:03 . 2008-03-09 07:25 236 --ah----- c:\program files\Common Files\dx.reg

2008-12-18 12:55 . 2008-12-18 12:54 728,858 --a------ c:\program files\Common Files\unins000.exe

2008-12-18 12:55 . 2008-12-18 12:55 3,005 --a------ c:\program files\Common Files\unins000.dat

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-18 14:57 --------- d-----w c:\documents and settings\User\Application Data\Microsoft Games

2009-01-18 14:57 --------- d-----w c:\documents and settings\User\Application Data\DAEMON Tools

2009-01-18 14:56 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-18 14:53 --------- d-----w c:\program files\CCleaner

2009-01-18 14:53 --------- d-----w c:\documents and settings\User\Application Data\vlc

2009-01-18 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-02 17:01 --------- d-----w c:\program files\Windows Live

2008-12-17 17:53 --------- d-----w c:\documents and settings\All Users\Application Data\ATI

2008-12-17 17:49 --------- d-----w c:\program files\ATI Technologies

2008-12-17 16:58 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2008-12-17 16:58 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-02 13:01 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-02 09:56 --------- d-----w c:\program files\ESET

2008-12-02 09:38 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8

2008-11-28 06:44 --------- d-----w c:\program files\AVG

2008-11-25 14:43 --------- d-----w c:\documents and settings\All Users\Application Data\ESET

2008-09-20 21:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"nodenable"="c:\program files\eset\nodenable.exe" [2008-09-22 326829]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-11-13 2105176]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]

"ACU"="c:\program files\Atheros WLAN Client\ACU.exe" [2006-02-06 307200]

"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitLord\\BitLord.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

 

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]

R3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [2007-09-05 470112]

R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]

R4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]

S3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2006-03-29 27648]

S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]

S4 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]

S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]

S4 SessionLauncher;SessionLauncher;c:\docume~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe []

 

2009-01-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-448539723-1801674531-1003.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-17 16:39]

.

- - - - ORPHANS REMOVED - - - -

 

ShellExecuteHooks-{AD794E6B-90B7-4F9D-8FD6-0C16E3298FF2} - AD794E6B.dll

ShellExecuteHooks-{B8E83D3C-9466-4091-9AD1-1F89418A6EB7} - B8E83D3C.dll

ShellExecuteHooks-{E1D19FCC-4777-4D71-B863-6A0A5B4E59BC} - E1D19FCC.dll

ShellExecuteHooks-{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96} - 4FBFD5A4.dll

ShellExecuteHooks-{93DEE065-EC9B-4505-ADD3-19880AD3C38F} - 93DEE065.dll

ShellExecuteHooks-{29EA67E0-9EE5-4D1A-A056-5B7BDAC4CF97} - 29EA67E0.dll

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.neti.ee/

uInternet Connection Wizard,ShellNext = iexplore

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-18 21:33:00

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-1547161642-448539723-1801674531-1003\Software\SecuROM\License information*]

"datasecu"=hex:1f,d7,98,61,6d,fd,af,81,00,3d,24,dd,ef,54,4c,ea,78,22,ea,6d,a8,

3d,b2,2c,73,5b,2e,6c,ae,c0,68,ea,44,9f,00,86,3e,96,dc,0d,40,34,3d,e0,ad,fb,\

"rkeysecu"=hex:37,ac,d3,fe,09,f0,13,51,16,f8,ab,b8,8f,c3,eb,57

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(640)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Sygate\SPF\Smc.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\acs.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

.

**************************************************************************

.

Completion time: 2009-01-18 21:35:59 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-18 19:35:57

 

Pre-Run: 22 768 660 480 bytes free

Post-Run: 22,655,262,720 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

225 --- E O F --- 2009-01-17 17:32:10

 

HijackThis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:39:47, on 18.01.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros WLAN Client\ACU.exe -nogui

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe /s

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe

O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

--

End of file - 7530 bytes

Share this post


Link to post
Share on other sites
Juliet   

Welcome back

 

 

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program

as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

========================

 

 

 

NEXT**

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

 

Other available links

Kaspersky Online Scanner or from here

http://www.kaspersky.com/virusscanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition

    files.

  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)

    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

Kaspersky log

New HJT log taken after the above scans have run

 

 

How's the computer now?

Share this post


Link to post
Share on other sites
Cazoy   

Right now my computer seems to working fine, no bad image errors after i installed the ComboFix. Today i have plenty of free time to perform these actions what you suggested.

Share this post


Link to post
Share on other sites
Cazoy   

[/b]Kaspersky:

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Monday, January 19, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Monday, January 19, 2009 11:28:44

Records in database: 1647067

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

C:\

D:\

E:\

 

Scan statistics:

Files scanned: 74804

Threat name: 30

Infected objects: 43

Suspicious objects: 0

Duration of the scan: 01:42:56

 

 

File name / Threat name / Threats count

C:\DOCUME~1\User\LOCALS~1\Temp\wmsetup.dll/C:\DOCUME~1\User\LOCALS~1\Temp\wmsetup.dll Infected: Trojan-Downloader.Win32.Murlo.nn 2

C:\WINDOWS\linkinfo.dll/C:\WINDOWS\linkinfo.dll Infected: Trojan-Downloader.Win32.Agent.bsi 1

C:\Program Files\Messenger\msgmr.dll/C:\Program Files\Messenger\msgmr.dll Infected: Trojan-Downloader.Win32.Agent.yuv 2

C:\WINDOWS\Fonts\Framdee.ttf/C:\WINDOWS\Fonts\Framdee.ttf Infected: Trojan-Downloader.Win32.Small.yvn 2

C:\Documents and Settings\User\Local Settings\temp\eee.cab Infected: Trojan-Downloader.Win32.Small.aacq 1

C:\Documents and Settings\User\Local Settings\temp\wmsetup.dll Infected: Trojan-Downloader.Win32.Murlo.nn 1

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\a007[1].cab Infected: Trojan-Dropper.Win32.Small.axv 1

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\update[1].cab Infected: Trojan-Downloader.Win32.Small.aacq 1

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\BGG3E2T8\gbu[2].gif Infected: Trojan-Downloader.Win32.Murlo.nn 1

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\a006[1].cab Infected: Trojan-Downloader.Win32.Agent.wxq 1

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\eee[1].cab Infected: Trojan-Downloader.Win32.Small.aacq 1

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\FF933K62\update[1].gif Infected: Trojan-Downloader.Win32.Small.aacq 1

C:\WINDOWS\system32\92.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ultz 1

C:\WINDOWS\temp\NOD102.tmp Infected: Trojan-Downloader.Win32.Murlo.nn 1

C:\WINDOWS\temp\NOD105.tmp Infected: Trojan-Downloader.Win32.Agent.bsi 1

C:\WINDOWS\temp\NOD106.tmp Infected: Trojan-GameThief.Win32.WOW.ekr 1

C:\WINDOWS\temp\NOD107.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ulur 1

C:\WINDOWS\temp\NOD108.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uhce 1

C:\WINDOWS\temp\NOD109.tmp Infected: Trojan-Downloader.Win32.Small.yvn 1

C:\WINDOWS\temp\NOD10A.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ubsp 1

C:\WINDOWS\temp\NOD10C.tmp Infected: Trojan.Win32.SmallGame.cb 1

C:\WINDOWS\temp\NOD10E.tmp Infected: Trojan.Win32.SmallGame.bp 1

C:\WINDOWS\temp\NOD10F.tmp Infected: Trojan.Win32.SmallGame.bz 1

C:\WINDOWS\temp\NODC7.tmp Infected: Trojan.Win32.Qhost.kmd 1

C:\WINDOWS\temp\NODC9.tmp Infected: Trojan.Win32.Agent.amol 1

C:\WINDOWS\temp\NODCC.tmp Infected: Trojan-Downloader.Win32.Agent.yuv 1

C:\WINDOWS\temp\NODD1.tmp Infected: not-a-virus:AdWare.Win32.BHO.dai 1

C:\WINDOWS\temp\NODD3.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ukzl 1

C:\WINDOWS\temp\NODD4.tmp Infected: Trojan-GameThief.Win32.OnLineGames.bkpd 1

C:\WINDOWS\temp\NODD5.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uiwr 1

C:\WINDOWS\temp\NODD6.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uhbb 1

C:\WINDOWS\temp\NODDC.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ultz 1

C:\WINDOWS\temp\NODDF.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uiwo 1

C:\WINDOWS\temp\NODE0.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ujrl 1

C:\WINDOWS\temp\NODE3.tmp Infected: Trojan-GameThief.Win32.OnLineGames.uhvp 1

C:\WINDOWS\temp\NODE7.tmp Infected: Trojan.Win32.Agent.bgnk 1

C:\WINDOWS\temp\NODEA.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ulfx 1

C:\WINDOWS\temp\NODF0.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ulja 1

C:\WINDOWS\temp\NODF7.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ujug 1

C:\WINDOWS\temp\NODF8.tmp Infected: Trojan-GameThief.Win32.OnLineGames.ulvo 1

 

The selected area was scanned.

 

 

HijackThis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:05:10, on 19.01.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Atheros WLAN Client\ACU.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\cmd.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn

O1 - Hosts: 127.1 61.134.37.12

O1 - Hosts: 127.1 ko.ssa387.cn

O1 - Hosts: 127.1 www.ndxrr.cn

O1 - Hosts: 127.1 12345.ssa387.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 wwwwhf.cn

O1 - Hosts: 127.1 a89369093.sq.u9idc.com

O1 - Hosts: 127.1 www.mmd178.cn

O1 - Hosts: 127.1 www.178mmd.cn

O1 - Hosts: 127.1 www.wenzhuoyyy.cn

O1 - Hosts: 127.1 tw.lovechina.tw.cn

O1 - Hosts: 127.1 222.189.238.151

O1 - Hosts: 127.1 222.179.185.78

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 593ffcey.cn

O1 - Hosts: 127.1 set.yay520.cn

O1 - Hosts: 127.1 tenmoc999.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 121.kcuf-01.com

O1 - Hosts: 127.1 www.ew1q.cn

O1 - Hosts: 127.1 www.b3sk.cn

O1 - Hosts: 127.1 up.bizmd.cn

O1 - Hosts: 127.1 www.ms2a.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 www.fgetchr.cn

O1 - Hosts: 127.1 www.e6zx.cn

O1 - Hosts: 127.1 hai067.com

O1 - Hosts: 127.1 hai088.com

O1 - Hosts: 127.1 778899.jd8j.cn

O1 - Hosts: 127.1 sql.78-11.net

O1 - Hosts: 127.1 www.bbbirdy.com

O1 - Hosts: 127.1 www.s1na1.com.cn

O1 - Hosts: 127.1 www.dianyinjzd.cn

O1 - Hosts: 127.1 www.dj5201314dj.com

O1 - Hosts: 127.1 max-2.cn

O1 - Hosts: 127.1 a.asp-o.cn

O1 - Hosts: 127.1 b.asp-o.cn

O1 - Hosts: 127.1 c.asp-o.cn

O1 - Hosts: 127.1 x.kprobb.cn

O1 - Hosts: 127.1 js.php-k.cn

O1 - Hosts: 127.1 max-1.cn

O1 - Hosts: 127.1 max-3.cn

O1 - Hosts: 127.1 max-4.cn

O1 - Hosts: 127.1 max-5.cn

O1 - Hosts: 127.1 max-6.cn

O1 - Hosts: 127.1 max-7.cn

O1 - Hosts: 127.1 max-8.cn

O1 - Hosts: 127.1 max-9.cn

O1 - Hosts: 127.1 max-10.cn

O1 - Hosts: 127.1 max-11.cn

O1 - Hosts: 127.1 max-12.cn

O1 - Hosts: 127.1 twocannon250.com.cn

O1 - Hosts: 127.1 www.133mm.cn

O1 - Hosts: 127.1 www.51vmm.cn

O1 - Hosts: 127.1 www.7mmoo.cn

O1 - Hosts: 127.1 www.99mmm.org.cn

O1 - Hosts: 127.1 www.hdec.cn

O1 - Hosts: 127.1 www.picc18.com

O1 - Hosts: 127.1 www.kissdh.com

O1 - Hosts: 127.1 www.x7v.cn

O1 - Hosts: 127.1 biqulu.cn

O1 - Hosts: 127.1 2008.qq2006.com.cn

O1 - Hosts: 127.1 giaitrisex.com

O1 - Hosts: 127.1 www.giaitrisex.com

O1 - Hosts: 127.1 www.giaitrituoitre.net

O1 - Hosts: 127.1 mekiep.com

O1 - Hosts: 127.1 www.1sex1day.com

O1 - Hosts: 127.1 a.9ymm.com

O1 - Hosts: 127.1 bobo.7wyt.com

O1 - Hosts: 127.1 www.591caobi.cn

O1 - Hosts: 127.1 www.hrz008.cn

O1 - Hosts: 127.1 asp-15.cn

O1 - Hosts: 127.1 asp-12.cn

O1 - Hosts: 127.1 www.jb88.net

O1 - Hosts: 127.1 6.a88a.com

O1 - Hosts: 127.1 w.b2c3.cn

O1 - Hosts: 127.1 m.c5x8.com

O1 - Hosts: 127.1 www.518sfw.cn

O1 - Hosts: 127.1 www.jjyyzmj.cn

O1 - Hosts: 127.1 u.cnmrx.net

O1 - Hosts: 127.1 duowan.czm.cn

O1 - Hosts: 127.1 xccxcxcxcxcx.cn

O1 - Hosts: 127.1 google-yahoo.org.cn

O1 - Hosts: 127.1 tudou-net.org.cn

O1 - Hosts: 127.1 downloads.zango.com

O1 - Hosts: 127.1 ftp.surfnet.nl

O1 - Hosts: 127.1 bis.180solutions.com

O1 - Hosts: 127.1 installs.hotbar.com

O1 - Hosts: 127.1 www.hbdownloads.com

O1 - Hosts: 127.1 static.zangocash.com

O1 - Hosts: 127.1 www.qq-songli.cn

O1 - Hosts: 127.1 aa.9234.net

O1 - Hosts: 127.1 www.97love.info

O1 - Hosts: 127.1 97love.info

O1 - Hosts: 127.1 www.zyzhuiku.cn

O1 - Hosts: 127.1 zyzhuiku.cn

O1 - Hosts: 127.1 www.lang18.com

O1 - Hosts: 127.1 lang18.com

O1 - Hosts: 127.1 sao6666.com

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros WLAN Client\ACU.exe -nogui

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe /s

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: HBmhly.dll,HBCHIBI.dll,eclnnhfj.dll,lclmfcod.dll,knnjobkh.dll,gedhmhga.dll,mkcamlbl.dll,bmhclfad.dll,bcjmfkjd.dll,blhekilo.dll,djbgbjmh.dll,HBSHQ.dll,ahejnckg.dll,fmhgfddc.dll,HBWULIN2.dll,deklpmmd.dll,iehpphgi.dll,jnlbcafg.dll,nljhfjop.dll,jkhaneli.dll,ikgkljlb.dll,cghoicnn.dll

O21 - SSODL: EC5771F3 - {EC5771F3-BE0B-442F-9662-A4DE7598C5E0} - C:\WINDOWS\system32\eclnnhfj.dll (file missing)

O21 - SSODL: B51E4258 - {B51E4258-1E43-45A8-8D8F-9C7178BB3423} - C:\WINDOWS\system32\blhekilo.dll (file missing)

O21 - SSODL: BC36F43D - {BC36F43D-5985-4D88-966C-97507E1A5339} - C:\WINDOWS\system32\bcjmfkjd.dll (file missing)

O21 - SSODL: 0ED1610A - {0ED1610A-3050-4A92-A789-2BEE0A44CC4F} - C:\WINDOWS\system32\gedhmhga.dll (file missing)

O21 - SSODL: 47738B41 - {47738B41-069A-4FA7-AAF6-C16AC67952AF} - C:\WINDOWS\system32\knnjobkh.dll (file missing)

O21 - SSODL: 64CA65B5 - {64CA65B5-ECC0-4C66-BDFE-32B5C12E6CE9} - C:\WINDOWS\system32\mkcamlbl.dll (file missing)

O21 - SSODL: B61C5FAD - {B61C5FAD-ACEC-4592-8206-A9CECC9B6939} - C:\WINDOWS\system32\bmhclfad.dll (file missing)

O21 - SSODL: 5C56FC8D - {5C56FC8D-EEC4-4925-80C3-A42BAB7D91FA} - C:\WINDOWS\system32\lclmfcod.dll (file missing)

O21 - SSODL: D3B0B361 - {D3B0B361-D6C2-4635-8FDF-8AE0319F52FD} - C:\WINDOWS\system32\djbgbjmh.dll (file missing)

O21 - SSODL: A1E37C40 - {A1E37C40-9D14-4A84-AC05-9A7ADC4BEA87} - C:\WINDOWS\system32\ahejnckg.dll (file missing)

O21 - SSODL: F610FDDC - {F610FDDC-F91E-4702-B317-136D93D65E6C} - C:\WINDOWS\system32\fmhgfddc.dll (file missing)

O21 - SSODL: DE45966D - {DE45966D-246F-4BB2-B911-8BB2413ABBAD} - C:\WINDOWS\system32\deklpmmd.dll (file missing)

O21 - SSODL: 2E199102 - {2E199102-3461-4A5A-B40D-00F008C77A04} - C:\WINDOWS\system32\iehpphgi.dll (file missing)

O21 - SSODL: 375BCAF0 - {375BCAF0-82A2-4CF5-93E6-2A357B29F688} - C:\WINDOWS\system32\jnlbcafg.dll (file missing)

O21 - SSODL: 7531F389 - {7531F389-1A52-49A0-9F41-325528A4E1CF} - C:\WINDOWS\system32\nljhfjop.dll (file missing)

O21 - SSODL: 341A7E52 - {341A7E52-1C86-4465-8245-EB43932ACF07} - C:\WINDOWS\system32\jkhaneli.dll (file missing)

O21 - SSODL: 2404535B - {2404535B-9305-4837-AC63-AF8DE5A8D94B} - C:\WINDOWS\system32\ikgkljlb.dll (file missing)

O21 - SSODL: C0182C77 - {C0182C77-4467-413A-AD71-5782D8F491AC} - C:\WINDOWS\system32\cghoicnn.dll (file missing)

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe

O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

--

End of file - 13919 bytes

Share this post


Link to post
Share on other sites
Juliet   

Welcome back

 

Download the HostsXpert 4.3 - Hosts File Manager.

 

http://www.funkytoad.com/index.php?option=...=13&Itemid=

 

* Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert

* Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home

* Click "Make Hosts Writable?" in the upper corner (If available).

 

* Next Click Restore Microsoft's Hosts files and then click OK.

* Click the X to exit the program.

* Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

 

Tutorial, go here:

http://i28.photobucket.com/albums/c227/tet...HostsXpert4.jpg

 

 

 

 

 

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

(If Spybot should give you any problems just uninstall it for now)

# Open Spybot Search & Destroy.

# In the Mode menu click "Advanced mode" if not already selected.

# Choose "Yes" at the Warning prompt.

# Expand the "Tools" menu.

# Click "Resident".

# Uncheck the "Resident "TeaTimer" (Protection of overall system settings)

active." box.

# In the File menu click "Exit" to exit Spybot Search & Destroy.

 

* See this link for a tutorial http://russelltexas.com/malware/teatimer.htm

 

 

 

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn

O1 - Hosts: 127.1 61.134.37.12

O1 - Hosts: 127.1 ko.ssa387.cn

O1 - Hosts: 127.1 www.ndxrr.cn

O1 - Hosts: 127.1 12345.ssa387.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 wwwwhf.cn

O1 - Hosts: 127.1 a89369093.sq.u9idc.com

O1 - Hosts: 127.1 www.mmd178.cn

O1 - Hosts: 127.1 www.178mmd.cn

O1 - Hosts: 127.1 www.wenzhuoyyy.cn

O1 - Hosts: 127.1 tw.lovechina.tw.cn

O1 - Hosts: 127.1 222.189.238.151

O1 - Hosts: 127.1 222.179.185.78

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 593ffcey.cn

O1 - Hosts: 127.1 set.yay520.cn

O1 - Hosts: 127.1 tenmoc999.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 121.kcuf-01.com

O1 - Hosts: 127.1 www.ew1q.cn

O1 - Hosts: 127.1 www.b3sk.cn

O1 - Hosts: 127.1 up.bizmd.cn

O1 - Hosts: 127.1 www.ms2a.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 www.fgetchr.cn

O1 - Hosts: 127.1 www.e6zx.cn

O1 - Hosts: 127.1 hai067.com

O1 - Hosts: 127.1 hai088.com

O1 - Hosts: 127.1 778899.jd8j.cn

O1 - Hosts: 127.1 sql.78-11.net

O1 - Hosts: 127.1 www.bbbirdy.com

O1 - Hosts: 127.1 www.s1na1.com.cn

O1 - Hosts: 127.1 www.dianyinjzd.cn

O1 - Hosts: 127.1 www.dj5201314dj.com

O1 - Hosts: 127.1 max-2.cn

O1 - Hosts: 127.1 a.asp-o.cn

O1 - Hosts: 127.1 b.asp-o.cn

O1 - Hosts: 127.1 c.asp-o.cn

O1 - Hosts: 127.1 x.kprobb.cn

O1 - Hosts: 127.1 js.php-k.cn

O1 - Hosts: 127.1 max-1.cn

O1 - Hosts: 127.1 max-3.cn

O1 - Hosts: 127.1 max-4.cn

O1 - Hosts: 127.1 max-5.cn

O1 - Hosts: 127.1 max-6.cn

O1 - Hosts: 127.1 max-7.cn

O1 - Hosts: 127.1 max-8.cn

O1 - Hosts: 127.1 max-9.cn

O1 - Hosts: 127.1 max-10.cn

O1 - Hosts: 127.1 max-11.cn

O1 - Hosts: 127.1 max-12.cn

O1 - Hosts: 127.1 twocannon250.com.cn

O1 - Hosts: 127.1 www.133mm.cn

O1 - Hosts: 127.1 www.51vmm.cn

O1 - Hosts: 127.1 www.7mmoo.cn

O1 - Hosts: 127.1 www.99mmm.org.cn

O1 - Hosts: 127.1 www.hdec.cn

O1 - Hosts: 127.1 www.picc18.com

O1 - Hosts: 127.1 www.kissdh.com

O1 - Hosts: 127.1 www.x7v.cn

O1 - Hosts: 127.1 biqulu.cn

O1 - Hosts: 127.1 2008.qq2006.com.cn

O1 - Hosts: 127.1 giaitrisex.com

O1 - Hosts: 127.1 www.giaitrisex.com

O1 - Hosts: 127.1 www.giaitrituoitre.net

O1 - Hosts: 127.1 mekiep.com

O1 - Hosts: 127.1 www.1sex1day.com

O1 - Hosts: 127.1 a.9ymm.com

O1 - Hosts: 127.1 bobo.7wyt.com

O1 - Hosts: 127.1 www.591caobi.cn

O1 - Hosts: 127.1 www.hrz008.cn

O1 - Hosts: 127.1 asp-15.cn

O1 - Hosts: 127.1 asp-12.cn

O1 - Hosts: 127.1 www.jb88.net

O1 - Hosts: 127.1 6.a88a.com

O1 - Hosts: 127.1 w.b2c3.cn

O1 - Hosts: 127.1 m.c5x8.com

O1 - Hosts: 127.1 www.518sfw.cn

O1 - Hosts: 127.1 www.jjyyzmj.cn

O1 - Hosts: 127.1 u.cnmrx.net

O1 - Hosts: 127.1 duowan.czm.cn

O1 - Hosts: 127.1 xccxcxcxcxcx.cn

O1 - Hosts: 127.1 google-yahoo.org.cn

O1 - Hosts: 127.1 tudou-net.org.cn

O1 - Hosts: 127.1 downloads.zango.com

O1 - Hosts: 127.1 ftp.surfnet.nl

O1 - Hosts: 127.1 bis.180solutions.com

O1 - Hosts: 127.1 installs.hotbar.com

O1 - Hosts: 127.1 www.hbdownloads.com

O1 - Hosts: 127.1 static.zangocash.com

O1 - Hosts: 127.1 www.qq-songli.cn

O1 - Hosts: 127.1 aa.9234.net

O1 - Hosts: 127.1 www.97love.info

O1 - Hosts: 127.1 97love.info

O1 - Hosts: 127.1 www.zyzhuiku.cn

O1 - Hosts: 127.1 zyzhuiku.cn

O1 - Hosts: 127.1 www.lang18.com

O1 - Hosts: 127.1 lang18.com

O1 - Hosts: 127.1 sao6666.com

 

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)

 

O20 - AppInit_DLLs: HBmhly.dll,HBCHIBI.dll,eclnnhfj.dll,lclmfcod.dll,knnjobkh.dll,gedhmhga.dll,mkcamlbl.dll,bmhclfad.dll,bcjmfkjd.dll,blhekilo.dll,djbgbjmh.dll,

HBSHQ.dll,ahejnckg.dll,fmhgfddc.dll,HBWULIN2.dll,deklpmmd.dll,iehpphgi.dll,jnlbcafg.dll,nljhfjop.dll,jkhaneli.dll,ikgkljlb.dll,cghoicnn.dll

 

O21 - SSODL: EC5771F3 - {EC5771F3-BE0B-442F-9662-A4DE7598C5E0} - C:\WINDOWS\system32\eclnnhfj.dll (file missing)

O21 - SSODL: B51E4258 - {B51E4258-1E43-45A8-8D8F-9C7178BB3423} - C:\WINDOWS\system32\blhekilo.dll (file missing)

O21 - SSODL: BC36F43D - {BC36F43D-5985-4D88-966C-97507E1A5339} - C:\WINDOWS\system32\bcjmfkjd.dll (file missing)

O21 - SSODL: 0ED1610A - {0ED1610A-3050-4A92-A789-2BEE0A44CC4F} - C:\WINDOWS\system32\gedhmhga.dll (file missing)

O21 - SSODL: 47738B41 - {47738B41-069A-4FA7-AAF6-C16AC67952AF} - C:\WINDOWS\system32\knnjobkh.dll (file missing)

O21 - SSODL: 64CA65B5 - {64CA65B5-ECC0-4C66-BDFE-32B5C12E6CE9} - C:\WINDOWS\system32\mkcamlbl.dll (file missing)

O21 - SSODL: B61C5FAD - {B61C5FAD-ACEC-4592-8206-A9CECC9B6939} - C:\WINDOWS\system32\bmhclfad.dll (file missing)

O21 - SSODL: 5C56FC8D - {5C56FC8D-EEC4-4925-80C3-A42BAB7D91FA} - C:\WINDOWS\system32\lclmfcod.dll (file missing)

O21 - SSODL: D3B0B361 - {D3B0B361-D6C2-4635-8FDF-8AE0319F52FD} - C:\WINDOWS\system32\djbgbjmh.dll (file missing)

O21 - SSODL: A1E37C40 - {A1E37C40-9D14-4A84-AC05-9A7ADC4BEA87} - C:\WINDOWS\system32\ahejnckg.dll (file missing)

O21 - SSODL: F610FDDC - {F610FDDC-F91E-4702-B317-136D93D65E6C} - C:\WINDOWS\system32\fmhgfddc.dll (file missing)

O21 - SSODL: DE45966D - {DE45966D-246F-4BB2-B911-8BB2413ABBAD} - C:\WINDOWS\system32\deklpmmd.dll (file missing)

O21 - SSODL: 2E199102 - {2E199102-3461-4A5A-B40D-00F008C77A04} - C:\WINDOWS\system32\iehpphgi.dll (file missing)

O21 - SSODL: 375BCAF0 - {375BCAF0-82A2-4CF5-93E6-2A357B29F688} - C:\WINDOWS\system32\jnlbcafg.dll (file missing)

O21 - SSODL: 7531F389 - {7531F389-1A52-49A0-9F41-325528A4E1CF} - C:\WINDOWS\system32\nljhfjop.dll (file missing)

O21 - SSODL: 341A7E52 - {341A7E52-1C86-4465-8245-EB43932ACF07} - C:\WINDOWS\system32\jkhaneli.dll (file missing)

O21 - SSODL: 2404535B - {2404535B-9305-4837-AC63-AF8DE5A8D94B} - C:\WINDOWS\system32\ikgkljlb.dll (file missing)

O21 - SSODL: C0182C77 - {C0182C77-4467-413A-AD71-5782D8F491AC} - C:\WINDOWS\system32\cghoicnn.dll (file missing)

 

 

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File:: 
C:\DOCUME~1\User\LOCALS~1\Temp\wmsetup.dll
C:\WINDOWS\linkinfo.dll
C:\Program Files\Messenger\msgmr.dll
C:\WINDOWS\Fonts\Framdee.ttf
C:\Documents and Settings\User\Local Settings\temp\eee.cab
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\a007[1].cab
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\update[1].cab
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\BGG3E2T8\gbu[2].gif
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\a006[1].cab	
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\eee[1].cab
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\FF933K62\update[1].gif
C:\WINDOWS\system32\92.tmp	
C:\WINDOWS\temp\NOD102.tmp	
C:\WINDOWS\temp\NOD105.tmp	
C:\WINDOWS\temp\NOD106.tmp	
C:\WINDOWS\temp\NOD107.tmp	
C:\WINDOWS\temp\NOD108.tmp	
C:\WINDOWS\temp\NOD109.tmp	
C:\WINDOWS\temp\NOD10A.tmp	
C:\WINDOWS\temp\NOD10C.tmp	
C:\WINDOWS\temp\NOD10E.tmp	
C:\WINDOWS\temp\NOD10F.tmp	
C:\WINDOWS\temp\NODC7.tmp	
C:\WINDOWS\temp\NODC9.tmp	
C:\WINDOWS\temp\NODCC.tmp	
C:\WINDOWS\temp\NODD1.tmp	
C:\WINDOWS\temp\NODD3.tmp	
C:\WINDOWS\temp\NODD4.tmp	
C:\WINDOWS\temp\NODD5.tmp	
C:\WINDOWS\temp\NODD6.tmp	
C:\WINDOWS\temp\NODDC.tmp	
C:\WINDOWS\temp\NODDF.tmp	
C:\WINDOWS\temp\NODE0.tmp	
C:\WINDOWS\temp\NODE3.tmp	
C:\WINDOWS\temp\NODE7.tmp	
C:\WINDOWS\temp\NODEA.tmp	
C:\WINDOWS\temp\NODF0.tmp	
C:\WINDOWS\temp\NODF7.tmp	
C:\WINDOWS\temp\NODF8.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

 

 

In your next reply post:

ComboFix.txt

New HJT log

 

 

How's the computer now?

Share this post


Link to post
Share on other sites
Cazoy   

Before you write this, my antivirus made a scan and probally erased something : those O1 and O21 were already gone. And ESET Antivirus finds still trojans n`stuff.

 

ComboFix:

 

ComboFix 09-01-17.04 - User 2009-01-19 20:20:11.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.427 [GMT 2:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

FW: Sygate Personal Firewall *disabled*

* Created a new restore point

 

FILE ::

c:\docume~1\User\LOCALS~1\Temp\wmsetup.dll

c:\documents and settings\User\Local Settings\temp\eee.cab

c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\a007[1].cab

c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\83M7TL90\update[1].cab

c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\BGG3E2T8\gbu[2].gif

c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\a006[1].cab

c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\EPFNYYCI\eee[1].cab

c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\FF933K62\update[1].gif

c:\program files\Messenger\msgmr.dll

c:\windows\Fonts\Framdee.ttf

c:\windows\linkinfo.dll

c:\windows\system32\92.tmp

c:\windows\temp\NOD102.tmp

c:\windows\temp\NOD105.tmp

c:\windows\temp\NOD106.tmp

c:\windows\temp\NOD107.tmp

c:\windows\temp\NOD108.tmp

c:\windows\temp\NOD109.tmp

c:\windows\temp\NOD10A.tmp

c:\windows\temp\NOD10C.tmp

c:\windows\temp\NOD10E.tmp

c:\windows\temp\NOD10F.tmp

c:\windows\temp\NODC7.tmp

c:\windows\temp\NODC9.tmp

c:\windows\temp\NODCC.tmp

c:\windows\temp\NODD1.tmp

c:\windows\temp\NODD3.tmp

c:\windows\temp\NODD4.tmp

c:\windows\temp\NODD5.tmp

c:\windows\temp\NODD6.tmp

c:\windows\temp\NODDC.tmp

c:\windows\temp\NODDF.tmp

c:\windows\temp\NODE0.tmp

c:\windows\temp\NODE3.tmp

c:\windows\temp\NODE7.tmp

c:\windows\temp\NODEA.tmp

c:\windows\temp\NODF0.tmp

c:\windows\temp\NODF7.tmp

c:\windows\temp\NODF8.tmp

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\AppPatch\AcXtrnel.sdb

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NVMINI

-------\Service_nvmini

 

 

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))

.

 

2009-01-19 20:01 . 2009-01-19 20:01 <DIR> d-------- C:\HostsXpert

2009-01-19 15:31 . 2009-01-19 15:31 20,336 --ahs---- C:\asdfjlasdjf.dll

2009-01-19 14:46 . 2009-01-19 14:46 <DIR> d-------- c:\windows\Sun

2009-01-18 19:31 . 2009-01-18 19:31 <DIR> d-------- c:\program files\Trend Micro

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\Windows Live SkyDrive

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\Microsoft

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\program files\DAEMON Tools Lite

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\User\Application Data\DAEMON Tools Pro

2009-01-18 16:57 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-01-07 21:50 . 2009-01-07 21:50 <DIR> d-------- C:\ProgramData

2009-01-07 21:50 . 2009-01-07 21:50 <DIR> d-------- c:\program files\Electronic Arts

2009-01-07 21:49 . 2009-01-07 21:49 1,108 --a------ c:\windows\system32\ealregsnapshot1.reg

2009-01-07 21:36 . 2009-01-18 16:57 <DIR> d-------- c:\program files\EA Sports

2009-01-02 19:03 . 2009-01-18 16:57 <DIR> d-------- c:\documents and settings\User\Tracing

2009-01-02 18:55 . 2009-01-02 18:55 <DIR> d-------- c:\program files\Common Files\Windows Live

2009-01-02 18:50 . 2009-01-18 16:53 <DIR> d-------- c:\documents and settings\User\Application Data\vlc

2009-01-02 18:50 . 2009-01-02 18:51 <DIR> d-------- c:\documents and settings\User\Application Data\DAEMON Tools Lite

2008-12-28 23:03 . 2008-12-28 23:03 <DIR> d-------- c:\program files\Microsoft Games

2008-12-23 18:38 . 2009-01-18 16:54 <DIR> d-------- c:\program files\Guitar Pro 5

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-18 14:57 --------- d-----w c:\documents and settings\User\Application Data\Microsoft Games

2009-01-18 14:57 --------- d-----w c:\documents and settings\User\Application Data\DAEMON Tools

2009-01-18 14:56 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-18 14:53 --------- d-----w c:\program files\CCleaner

2009-01-18 14:53 --------- d-----w c:\documents and settings\User\Application Data\vlc

2009-01-18 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-02 17:01 --------- d-----w c:\program files\Windows Live

2008-12-18 10:55 3,005 ----a-w c:\program files\Common Files\unins000.dat

2008-12-18 10:54 728,858 ----a-w c:\program files\Common Files\unins000.exe

2008-12-17 17:53 --------- d-----w c:\documents and settings\All Users\Application Data\ATI

2008-12-17 17:49 --------- d-----w c:\program files\ATI Technologies

2008-12-17 16:58 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2008-12-17 16:58 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-02 13:01 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-02 09:56 --------- d-----w c:\program files\ESET

2008-12-02 09:38 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8

2008-11-28 06:44 --------- d-----w c:\program files\AVG

2008-11-25 14:43 --------- d-----w c:\documents and settings\All Users\Application Data\ESET

2008-03-09 05:25 236 ---ha-w c:\program files\Common Files\dx.reg

2008-09-20 21:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"nodenable"="c:\program files\eset\nodenable.exe" [2008-09-22 326829]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]

"ACU"="c:\program files\Atheros WLAN Client\ACU.exe" [2006-02-06 307200]

"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitLord\\BitLord.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

 

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]

R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]

R4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]

S3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2006-03-29 27648]

S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]

S3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [2007-09-05 470112]

S4 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]

S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]

S4 SessionLauncher;SessionLauncher;c:\docume~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe []

 

2009-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-448539723-1801674531-1003.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-17 16:39]

.

- - - - ORPHANS REMOVED - - - -

 

ShellExecuteHooks-{BC36F43D-5985-4D88-966C-97507E1A5339} - c:\windows\system32\bcjmfkjd.dll

ShellExecuteHooks-{EC5771F3-BE0B-442F-9662-A4DE7598C5E0} - c:\windows\system32\eclnnhfj.dll

ShellExecuteHooks-{B51E4258-1E43-45A8-8D8F-9C7178BB3423} - c:\windows\system32\blhekilo.dll

ShellExecuteHooks-{0ED1610A-3050-4A92-A789-2BEE0A44CC4F} - c:\windows\system32\gedhmhga.dll

ShellExecuteHooks-{47738B41-069A-4FA7-AAF6-C16AC67952AF} - c:\windows\system32\knnjobkh.dll

ShellExecuteHooks-{64CA65B5-ECC0-4C66-BDFE-32B5C12E6CE9} - c:\windows\system32\mkcamlbl.dll

ShellExecuteHooks-{B61C5FAD-ACEC-4592-8206-A9CECC9B6939} - c:\windows\system32\bmhclfad.dll

ShellExecuteHooks-{5C56FC8D-EEC4-4925-80C3-A42BAB7D91FA} - c:\windows\system32\lclmfcod.dll

ShellExecuteHooks-{D3B0B361-D6C2-4635-8FDF-8AE0319F52FD} - c:\windows\system32\djbgbjmh.dll

ShellExecuteHooks-{A1E37C40-9D14-4A84-AC05-9A7ADC4BEA87} - c:\windows\system32\ahejnckg.dll

ShellExecuteHooks-{F610FDDC-F91E-4702-B317-136D93D65E6C} - c:\windows\system32\fmhgfddc.dll

ShellExecuteHooks-{DE45966D-246F-4BB2-B911-8BB2413ABBAD} - c:\windows\system32\deklpmmd.dll

ShellExecuteHooks-{2E199102-3461-4A5A-B40D-00F008C77A04} - c:\windows\system32\iehpphgi.dll

ShellExecuteHooks-{375BCAF0-82A2-4CF5-93E6-2A357B29F688} - c:\windows\system32\jnlbcafg.dll

ShellExecuteHooks-{7531F389-1A52-49A0-9F41-325528A4E1CF} - c:\windows\system32\nljhfjop.dll

ShellExecuteHooks-{341A7E52-1C86-4465-8245-EB43932ACF07} - c:\windows\system32\jkhaneli.dll

ShellExecuteHooks-{2404535B-9305-4837-AC63-AF8DE5A8D94B} - c:\windows\system32\ikgkljlb.dll

ShellExecuteHooks-{C0182C77-4467-413A-AD71-5782D8F491AC} - c:\windows\system32\cghoicnn.dll

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.neti.ee/

uInternet Connection Wizard,ShellNext = iexplore

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-19 20:25:06

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-1547161642-448539723-1801674531-1003\Software\SecuROM\License information*]

"datasecu"=hex:1f,d7,98,61,6d,fd,af,81,00,3d,24,dd,ef,54,4c,ea,78,22,ea,6d,a8,

3d,b2,2c,73,5b,2e,6c,ae,c0,68,ea,44,9f,00,86,3e,96,dc,0d,40,34,3d,e0,ad,fb,\

"rkeysecu"=hex:37,ac,d3,fe,09,f0,13,51,16,f8,ab,b8,8f,c3,eb,57

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(640)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Sygate\SPF\Smc.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\acs.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-01-19 20:28:03 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-19 18:28:01

ComboFix2.txt 2009-01-18 19:36:00

 

Pre-Run: 23 026 323 456 bytes free

Post-Run: 23,067,189,248 bytes free

 

219 --- E O F --- 2009-01-17 17:32:10

 

HijackThis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:33:26, on 19.01.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros WLAN Client\ACU.exe -nogui

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe /s

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe

O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

--

End of file - 7600 bytes

Share this post


Link to post
Share on other sites
Juliet   

Go to My Computer->Tools->Folder Options->View tab:

  • Under the Hidden files and folders heading:

  • Select - Show hidden files and folders.

  • Uncheck- Hide protected operating system files (recommended) option.

  • Also, make sure there is no checkmark beside Hide file extensions for known file types.

  • Click OK. (Remember to Hide files and folders once done)

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

C:\asdfjlasdjf.dll <--delete this file, then empty your recycle bin.

 

 

 

 

 

 

And ESET Antivirus finds still trojans n`stuff.

Can you tell me where it says it finds infection....file path or folders?

 

Your logs are looking good, I'm not seeing anything now.

Edited by Juliet

Share this post


Link to post
Share on other sites
Cazoy   

where can i find this folder called Bold, cant find it... :(

I dida all what u told me but still dont find this folder, right now antivirus is norm. no errors.

Edited by Cazoy

Share this post


Link to post
Share on other sites
Juliet   

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders (that stands for file or folder) in bold

 

In your case it's just a file.

 

C:\asdfjlasdjf.dll <--delete this file, then empty your recycle bin.

Share this post


Link to post
Share on other sites
Juliet   

Well, it looks good on my end, you say antivirus alerts have stopped.

 

 

 

 

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
Example below

Posted Image

 

 

 

 

 

 

I think your good to go, good job!

 

 

 

 

Please take the time to read over a few of my preventive tips.

 

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 2.0

The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

 

How to prevent Malware: Created by Miekiemoes

 

Here are some additional utilities that will further enhance your safety.

# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

 

 

Read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

 

Free Antivirus-AntiSpyware-Firewall Software

Slow Computer May Not Be Malware Related, Help! My computer is slow!

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

 

 

PC Safety and Security--What Do I Need?

http://www.techsupportforum.com/security-c...-do-i-need.html

 

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

This site offers people who have been (or are) victims of malware the opportunity to document their story.

 

Extra note:

Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Share this post


Link to post
Share on other sites
Cazoy   

Cant thank you enough! Good job to you too!

But do i keep following programs : ComboFix, HijackThis, HostsXpert. Or can i erase these programs and once again thank you for your help.

Share this post


Link to post
Share on other sites
Juliet   

If you followed the below, ComboFix will be removed and a clean restore point set.

 

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
Example below

Posted Image

 

 

 

You can delete HijackThis, HostsXpert ....tho neither one take space or resources.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×