« previous next »
Pages: [1]

Author Topic: trojan infected..pls help, HyjackThis log  (Read 1719 times)

Offline Chris24

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
trojan infected..pls help, HyjackThis log
« on: May 12, 2008, 08:08:17 PM »
Hi All..
my laptop got infected yesterday and its slowing my machine and opening different pop-ups..
Please help..

Here is the HyjackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:01:52 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.pctools.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


 
Please help................   :-(
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
trojan infected..pls help, HyjackThis log
« Reply #1 on: May 12, 2008, 08:40:04 PM »
Can you do the following please

You have a few spywaretools running, we need to disable their protections so they won't interfere with any fixes we try

Window's Defender
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Spyware Doctor
To deactivate Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".


Afterwards: I would like you to try another scanner please
download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
       
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
       
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
       
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

After you have posted that report from Malwarebytes
Please do the following

Download this file - Combofix.exe and save it ONLY to your desktop
Temporarily disable your AntiVirus software also so it won't interfere with this next tool
Physically disconnect the Internet cable to your computer

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When combofix is done, reenable your AntiVirus then connect back to the Internet
If you don't get connection, simply reboot the computer
Post in a seperate reply the log from Combofix please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Chris24

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
trojan infected..pls help, HyjackThis log
« Reply #2 on: May 12, 2008, 10:54:38 PM »
Thank you very much.

Following is the MBAM log

Malwarebytes' Anti-Malware 1.12
Database version: 744

Scan type: Full Scan (C:\|)
Objects scanned: 192149
Time elapsed: 1 hour(s), 14 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fccdcBQI.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayxvWMg.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ab374ace-4320-4727-8cba-55bba8958486} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ab374ace-4320-4727-8cba-55bba8958486} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxvwmg (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM348c2f85 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccdcbqi -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccdcbqi  -> Delete on reboot.

Folders Infected:
C:\Program Files\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\din3 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fccdcBQI.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\IQBcdccf.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\IQBcdccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rukgknlr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rlnkgkur.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Local Settings\Temp\wavvsnet.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Local Settings\Temporary Internet Files\Content.IE5\B7HF7T8W\wavvsnet[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\TTC.dll (Adware.WebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Web Buying\v1.7.4\wbuninst.exe.vir (Adware.WebBuying) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Web Buying\v1.7.4\webbuying.exe.vir (Adware.WebBuying) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir (Adware.Softomate) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP814\A0087480.exe (Adware.Winpop) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP814\A0087481.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP814\A0087482.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\din3\PI-setup03x.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hNF\srkawe3.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ndb2\BD-2bin.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vdTMP\bvre32.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\Program Files\winvi\Uninst.exe (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ktkuqcrk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxvWMg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Local Settings\Temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\Click to Find and Fix Errors.url (Rogue.Link) -> Quarantined and deleted successfully.
Logged

Offline Chris24

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
trojan infected..pls help, HyjackThis log
« Reply #3 on: May 12, 2008, 10:56:52 PM »
Hi,
Following is the combofix log:
ComboFix 08-05-12.1 - VAMSHI ATMAKUR 2008-05-12 22:28:36.1 - NTFSx86
Running from: C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\ComboFix.exe
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acsegbhk.ini
C:\WINDOWS\system32\cbeeg.tmp2
C:\WINDOWS\system32\cyinxphn.ini
C:\WINDOWS\system32\IQBcdccf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\win
C:\WINDOWS\zxbowokA.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


(((((((((((((((((((((((((   Files Created from 2008-04-13 to 2008-05-13  )))))))))))))))))))))))))))))))
.

2008-05-12 21:05 . 2008-05-12 21:05 114,688 --a------ C:\WINDOWS\system32\hijnffgr.dll
2008-05-12 21:05 . 2008-05-12 22:41 474 ---hs---- C:\WINDOWS\system32\rgffnjih.ini
2008-05-12 21:02 . 2008-05-12 21:02 132,608 --a------ C:\WINDOWS\system32\vwnbyduq.dll
2008-05-12 21:02 . 2008-05-12 21:02 2,048 --a------ C:\WINDOWS\system32\mbempmqt.exe
2008-05-12 20:59 . 2008-05-12 22:20 124,416 --------- C:\WINDOWS\system32\ktkuqcrk.dll
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 20:56 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 20:55 . 2008-05-12 20:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-12 20:53 . 2008-05-12 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-11 21:22 . 2008-05-12 20:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 16:10 . 2008-05-11 16:10 2,048 --a------ C:\WINDOWS\system32\kstbripf.exe
2008-05-11 16:08 . 2008-05-11 16:08 125,440 --a------ C:\WINDOWS\system32\iorvuhgh.dll
2008-05-11 16:08 . 2008-05-12 20:59 109,807 --a------ C:\WINDOWS\BM348c2f85.xml
2008-05-11 16:04 . 2008-05-12 22:20 372,224 --------- C:\WINDOWS\system32\fccdcBQI.dll
2008-05-11 15:57 . 2008-05-12 22:20 <DIR> d-------- C:\WINDOWS\system32\vdTMP
2008-05-11 15:57 . 2008-05-12 22:20 <DIR> d-------- C:\WINDOWS\system32\Ndb2
2008-05-11 15:57 . 2008-05-12 22:20 <DIR> d-------- C:\WINDOWS\system32\hNF
2008-05-11 15:57 . 2008-05-11 15:57 <DIR> d-------- C:\WINDOWS\system32\bkEur01
2008-05-11 15:57 . 2008-05-11 15:57 <DIR> d-------- C:\WINDOWS\system32\2033b
2008-05-11 15:57 . 2008-05-11 15:57 <DIR> d-------- C:\Temp\maxsv15
2008-05-11 15:57 . 2008-05-12 22:20 52,736 --------- C:\WINDOWS\system32\yayxvWMg.dll
2008-05-04 09:52 . 2008-05-04 09:53 <DIR> d-------- C:\Program Files\SopCast

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 23:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-11 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 21:34 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-11 21:34 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-11 21:34 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-07 13:29 47,344 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\GDIPFONTCACHEV1.DAT
2006-01-08 17:03 560 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\ViewerApp.dat
2004-08-21 14:51 21,447 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Favorites.zip
2004-07-31 16:23 0 --sh--r C:\Program Files\q330994.exe
2004-07-23 01:45 1,160,964 ----a-w C:\Documents and Settings\Guest\wrar34b2.exe
2004-07-23 01:44 9,228,986 ----a-w C:\Documents and Settings\Guest\vlc-0.7.2-win32.exe
2004-07-23 01:41 3,292,584 ----a-w C:\Documents and Settings\Guest\DivXPlayerInstaller.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\cvchost.exe
2004-06-28 09:02 2,926 --sha-w C:\WINDOWS\egcng.dat
2004-07-03 03:37 2,926 --sha-w C:\WINDOWS\givip.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msstasks.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mssys.com
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mstaskss.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msxmidi.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\ntldr.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\rocky.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\seksdialer.exe
2004-07-04 04:47 2,926 --sha-w C:\WINDOWS\vjrkb.dat
2004-06-21 09:24 2,926 --sha-w C:\WINDOWS\vsdbk.dat
2004-07-03 22:27 2,926 --sha-w C:\WINDOWS\worst.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\system.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\wmscrop.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.dll
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.exe
2004-07-10 03:00 2,926 --sha-w C:\WINDOWS\system32\dntwj.dat
2004-07-07 21:08 2,926 --sha-w C:\WINDOWS\system32\hahhu.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\jac.dll
2004-07-10 00:28 2,926 --sha-w C:\WINDOWS\system32\lmzri.dat
2004-06-27 23:19 2,926 --sha-w C:\WINDOWS\system32\lqvef.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\msxslab.dll
2004-07-13 10:44 2,926 --sha-w C:\WINDOWS\system32\qjeuv.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20AFE46C-B5B2-46FB-820B-75AB0066558A}]
   C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8709e651-514d-424f-ac80-b4de631f6762}]
2008-05-12 21:02 132608 --a------ C:\WINDOWS\system32\vwnbyduq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d905490f-7eef-48be-8bc5-1ce778714bac}]
   C:\WINDOWS\system32\ypuigup.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f611b61e-b4c8-471d-932b-8466e2bb9f75}]
   C:\WINDOWS\System32\cdfesk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"uninstal"="regsvr32 /u /s image.dll" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00 335872]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 03:23 90112]
"MMTray"="" []
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 20:23 868352]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-02-05 18:26 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-02-05 18:26 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 20:49 397312]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-23 10:39 180269]
"37bf1c19"="C:\WINDOWS\system32\hijnffgr.dll" [2008-05-12 21:05 114688]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2004-07-24 11:10:43 18432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdfesk]
cdfesk.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 17:52]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 12:55]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 14:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 15:26]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-09-22 05:05]
R3 WedgeTransport;IPSec Adapter;C:\WINDOWS\system32\DRIVERS\VIPSecMP.sys [2004-03-09 18:20]
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys [2004-12-07 16:00]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\VAMSHI~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 08:23]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 08:23]
S3 P1001VID;Creative WebCam (WDM);C:\WINDOWS\system32\DRIVERS\P1001Vid.sys [2002-06-03 21:38]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-02-09 15:50]
S4 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe [2002-04-26 17:29]
S4 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice []
S4 OracleServiceVAMSHI;OracleServiceVAMSHI;c:\oracle\ora92\bin\ORACLE.EXE VAMSHI []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 03:42:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-07-23 23:08:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 22:41:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92PagingServer]
"ImagePath"="C:\oracle\ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\hijnffgr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Yahoo!\Antivirus\iSafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-12 22:51:11 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-13 03:50:40
ComboFix2.txt  2007-06-18 01:16:17

Pre-Run: 23,515,140,096 bytes free
Post-Run: 24,015,654,912 bytes free

213 --- E O F --- 2008-05-09 02:59:52
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
trojan infected..pls help, HyjackThis log
« Reply #4 on: May 13, 2008, 08:56:22 AM »
Can you do the following for me please
Temporarily disable your AntiVirus software

Please run a free online scan with the [color=\"blue\"]ESET Online Scanner[/color][/url]
Note: You will need to use Internet Explorer for this scan[/i].[list=1]
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Chris24

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
trojan infected..pls help, HyjackThis log
« Reply #5 on: May 13, 2008, 11:16:20 PM »
Sorry for the delay.
Following is the eset log:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3096 (20080513)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=17ab7f944722ff4daae1e8ba992eeea1
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-05-14 04:15:41
# local_time=2008-05-13 11:15:41 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1076803
# found=11
# scan_time=10096
C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.33375 probably a variant of Win32/TrojanDownloader.PurityScan trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2007-06-17_201249.35.zip Win32/Rootkit.Agent.EQ trojan (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2007-06-17_201249.35.zip »ZIP »core.sys Win32/Rootkit.Agent.EQ trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\zxbowokA.exe.vir probably a variant of Win32/TrojanDownloader.VB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\dwncfpac.dll.vir Win32/Adware.Virtumonde.KI application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\geebc.dll.bad Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\pmnnoon.dll.bad Win32/TrojanDownloader.ConHook.NAI trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\browser.exe probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\kstbripf.exe Win32/PrivacySet.A trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mbempmqt.exe Win32/PrivacySet.A trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\bkEur01\bkEur011065.exe a variant of Win32/TrojanDownloader.VB.AW trojan (unable to clean - deleted) 00000000000000000000000000000000


Please advise.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
trojan infected..pls help, HyjackThis log
« Reply #6 on: May 14, 2008, 07:07:56 AM »
Delete your copy of ComboFix please
Then redownload a fresh copy from [color=\"#FF0000\"]HERE[/color]
Again, ONLY save it to your desktop

==Open notepad
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]File::
C:\WINDOWS\system32\hijnffgr.dll
C:\WINDOWS\system32\rgffnjih.ini
C:\WINDOWS\system32\vwnbyduq.dll
C:\WINDOWS\system32\mbempmqt.exe
C:\WINDOWS\system32\ktkuqcrk.dll
C:\WINDOWS\system32\iorvuhgh.dll
C:\WINDOWS\BM348c2f85.xml
C:\WINDOWS\system32\fccdcBQI.dll
C:\WINDOWS\system32\yayxvWMg.dll
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\egcng.dat
C:\WINDOWS\givip.dat
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\vjrkb.dat
C:\WINDOWS\vsdbk.dat
C:\WINDOWS\worst.dat
C:\WINDOWS\system\system.exe
C:\WINDOWS\system\wmscrop.exe
C:\WINDOWS\system32\d2kpax.dll
C:\WINDOWS\system32\d2kpax.exe
C:\WINDOWS\system32\dntwj.dat
C:\WINDOWS\system32\hahhu.dat
C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\lmzri.dat
C:\WINDOWS\system32\lqvef.dat
C:\WINDOWS\system32\msxslab.dll
C:\WINDOWS\system32\qjeuv.dat
Folder::
C:\WINDOWS\system32\vdTMP
C:\WINDOWS\system32\Ndb2
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\bkEur01
C:\WINDOWS\system32\2033b
C:\Temp\maxsv15
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdfesk]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20AFE46C-B5B2-46FB-820B-75AB0066558A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8709e651-514d-424f-ac80-b4de631f6762}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d905490f-7eef-48be-8bc5-1ce778714bac}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f611b61e-b4c8-471d-932b-8466e2bb9f75}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uninstal"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"=-
"TkBellExe"=-
"37bf1c19"=-
DirLook::
C:\Temp
[/color]
Save this as txtfile on your desktop
name it:
CFScript

Temporarily disable your AntiVirus software again
 

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts

Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Take notice: Combofix may prompt that the computer needs to reboot, don't interupt it
Allow it too

When finished, it shall produce a log for you  with the  name C:\ComboFix.txt..
I'll need to see that log

NOTE:
# Combofix will disconnect your machine from the Internet as soon as it starts
# Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
# If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Post back all the following:

1. Post the log from ComboFix
2. Update and post a Hijackthis log

Delete your copy of Hijackthis
Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color]
For an alternate download location, you can try HERE
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum
« Last Edit: May 14, 2008, 08:11:57 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Chris24

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
trojan infected..pls help, HyjackThis log
« Reply #7 on: May 14, 2008, 07:00:23 PM »
Combo Fix log is as follows :
ComboFix 08-05-12.1 - VAMSHI ATMAKUR 2008-05-14 18:24:29.2 - NTFSx86
Running from: C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\CFScript.txt
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\maxsv15
C:\Temp\maxsv15\rLCubd.log
C:\VundoFix Backups
C:\VundoFix Backups\cbeeg.bak1.bad
C:\VundoFix Backups\cbeeg.bak2.bad
C:\VundoFix Backups\cbeeg.ini.bad
C:\VundoFix Backups\cbeeg.ini2.bad
C:\VundoFix Backups\cbeeg.tmp.bad
C:\WINDOWS\system32\2033b
C:\WINDOWS\system32\bkEur01
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\Ndb2
C:\WINDOWS\system32\rgffnjih.ini
C:\WINDOWS\system32\vdTMP

.
(((((((((((((((((((((((((   Files Created from 2008-04-14 to 2008-05-14  )))))))))))))))))))))))))))))))
.

2008-05-14 18:16 . 2008-05-14 18:16 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-13 20:24 . 2008-05-13 23:15 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-12 21:05 . 2008-05-12 21:05 114,688 --a------ C:\WINDOWS\system32\hijnffgr.dll
2008-05-12 21:02 . 2008-05-12 21:02 132,608 --a------ C:\WINDOWS\system32\vwnbyduq.dll
2008-05-12 20:59 . 2008-05-12 22:20 124,416 --------- C:\WINDOWS\system32\ktkuqcrk.dll
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 20:56 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 20:55 . 2008-05-12 20:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-12 20:53 . 2008-05-12 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-11 21:22 . 2008-05-12 20:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 16:08 . 2008-05-11 16:08 125,440 --a------ C:\WINDOWS\system32\iorvuhgh.dll
2008-05-11 16:08 . 2008-05-12 20:59 109,807 --a------ C:\WINDOWS\BM348c2f85.xml
2008-05-11 16:04 . 2008-05-12 22:20 372,224 --------- C:\WINDOWS\system32\fccdcBQI.dll
2008-05-11 15:57 . 2008-05-12 22:20 52,736 --------- C:\WINDOWS\system32\yayxvWMg.dll
2008-05-04 09:52 . 2008-05-04 09:53 <DIR> d-------- C:\Program Files\SopCast

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 23:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-11 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 21:34 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-11 21:34 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-11 21:34 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-07 13:29 47,344 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\GDIPFONTCACHEV1.DAT
2006-01-08 17:03 560 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\ViewerApp.dat
2004-08-21 14:51 21,447 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Favorites.zip
2004-07-31 16:23 0 --sh--r C:\Program Files\q330994.exe
2004-07-23 01:45 1,160,964 ----a-w C:\Documents and Settings\Guest\wrar34b2.exe
2004-07-23 01:44 9,228,986 ----a-w C:\Documents and Settings\Guest\vlc-0.7.2-win32.exe
2004-07-23 01:41 3,292,584 ----a-w C:\Documents and Settings\Guest\DivXPlayerInstaller.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\cvchost.exe
2004-06-28 09:02 2,926 --sha-w C:\WINDOWS\egcng.dat
2004-07-03 03:37 2,926 --sha-w C:\WINDOWS\givip.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msstasks.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mssys.com
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mstaskss.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msxmidi.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\ntldr.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\rocky.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\seksdialer.exe
2004-07-04 04:47 2,926 --sha-w C:\WINDOWS\vjrkb.dat
2004-06-21 09:24 2,926 --sha-w C:\WINDOWS\vsdbk.dat
2004-07-03 22:27 2,926 --sha-w C:\WINDOWS\worst.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\system.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\wmscrop.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.dll
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.exe
2004-07-10 03:00 2,926 --sha-w C:\WINDOWS\system32\dntwj.dat
2004-07-07 21:08 2,926 --sha-w C:\WINDOWS\system32\hahhu.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\jac.dll
2004-07-10 00:28 2,926 --sha-w C:\WINDOWS\system32\lmzri.dat
2004-06-27 23:19 2,926 --sha-w C:\WINDOWS\system32\lqvef.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\msxslab.dll
2004-07-13 10:44 2,926 --sha-w C:\WINDOWS\system32\qjeuv.dat
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp ----

2008-05-11 15:57 1858 --a------ C:\Temp\maxsv15\rLCubd.log
2006-01-22 16:02 18179 --a------ C:\Temp\fftrace.log
2005-12-15 21:05 851 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-12-15-2005-20-02-54.log
2005-11-07 21:54 879 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-11-07-2005-20-52-01.log
2005-10-18 20:42 1562 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-10-18-2005-20-39-35.log
2005-08-20 12:13 1618 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-08-20-2005-12-10-27.log
2005-05-01 18:29 14432 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-26-41.log
2005-05-01 18:29 14432 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-26-39.log
2005-05-01 18:29 14432 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-26-16.log
2005-05-01 18:08 844 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-05-59.log
2005-05-01 18:06 844 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-03-20.log
2005-05-01 17:52 844 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-17-49-17.log
2003-11-18 09:31 69101 --------- C:\Temp\ETH1.jpg
2003-11-18 09:26 112 --------- C:\Temp\QuickStartGuide.html


(((((((((((((((((((((((((((((   snapshot@2008-05-12_22.50.06.34   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 03:39:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 23:12:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-06 18:17:40 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00 335872]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 03:23 90112]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 20:23 868352]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-02-05 18:26 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-02-05 18:26 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 20:49 397312]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2004-07-24 11:10:43 18432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 17:52]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 12:55]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 14:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 15:26]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-09-22 05:05]
R3 WedgeTransport;IPSec Adapter;C:\WINDOWS\system32\DRIVERS\VIPSecMP.sys [2004-03-09 18:20]
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys [2004-12-07 16:00]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\VAMSHI~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 08:23]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 08:23]
S3 P1001VID;Creative WebCam (WDM);C:\WINDOWS\system32\DRIVERS\P1001Vid.sys [2002-06-03 21:38]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-02-09 15:50]
S4 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe [2002-04-26 17:29]
S4 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice []
S4 OracleServiceVAMSHI;OracleServiceVAMSHI;c:\oracle\ora92\bin\ORACLE.EXE VAMSHI []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 23:15:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-07-23 23:08:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 18:31:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraHome92PagingServer]
"ImagePath"="C:\oracle\ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-05-14 18:41:07
ComboFix-quarantined-files.txt  2008-05-14 23:40:53
ComboFix2.txt  2008-05-13 03:51:14
ComboFix3.txt  2007-06-18 01:16:17

Pre-Run: 23,959,216,128 bytes free
Post-Run: 23,951,253,504 bytes free

203 --- E O F --- 2008-05-09 02:59:52
Logged

Offline Chris24

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
trojan infected..pls help, HyjackThis log
« Reply #8 on: May 14, 2008, 07:01:35 PM »
Following is HjackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:40 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.pctools.com
O15 - Trusted Zone: http://yahoo.sbc.com
O15 - Trusted Zone: smithlink.smith.com
O15 - Trusted Zone: www.corp.smith.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157908995765
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/v_mywebe...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9199 bytes


Please advise.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
trojan infected..pls help, HyjackThis log
« Reply #9 on: May 14, 2008, 11:08:50 PM »
Doesn't look like all files/folders were removed
Can you do the following please

download the [color=\"red\"]OTMoveIt2 by OldTimer[/color][/url].
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard in blue below by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    ==============================================================================
    [color=\"#4169E1\"]C:\Program Files\q330994.exe
    C:\WINDOWS\cvchost.exe
    C:\WINDOWS\egcng.dat
    C:\WINDOWS\givip.dat
    C:\WINDOWS\msstasks.exe
    C:\WINDOWS\mssys.com
    C:\WINDOWS\mstaskss.exe
    C:\WINDOWS\msxmidi.exe
    C:\WINDOWS\ntldr.exe
    C:\WINDOWS\rocky.exe
    C:\WINDOWS\seksdialer.exe
    C:\WINDOWS\vjrkb.dat
    C:\WINDOWS\vsdbk.dat
    C:\WINDOWS\worst.dat
    C:\WINDOWS\system\system.exe
    C:\WINDOWS\system\wmscrop.exe
    C:\WINDOWS\system32\d2kpax.dll
    C:\WINDOWS\system32\d2kpax.exe
    C:\WINDOWS\system32\dntwj.dat
    C:\WINDOWS\system32\hahhu.dat
    C:\WINDOWS\system32\jac.dll
    C:\WINDOWS\system32\lmzri.dat
    C:\WINDOWS\system32\lqvef.dat
    C:\WINDOWS\system32\msxslab.dll
    C:\WINDOWS\system32\qjeuv.dat
    C:\Temp
    C:\WINDOWS\system32\hijnffgr.dll
    C:\WINDOWS\system32\vwnbyduq.dll
    C:\WINDOWS\system32\ktkuqcrk.dll
    C:\WINDOWS\system32\iorvuhgh.dll
    C:\WINDOWS\BM348c2f85.xml
    C:\WINDOWS\system32\fccdcBQI.dll
    C:\WINDOWS\system32\yayxvWMg.dll
    [/color]

    ==============================================================================
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" and choose Paste.

  • Click the red [color=\"red\"]Moveit![/color] button.
  • When done Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <--Indicates date/time of log

Please post that log
In addition, run a fresh hijackthis log and post it and let me know how things are running please
« Last Edit: May 15, 2008, 09:01:38 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Chris24

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
trojan infected..pls help, HyjackThis log
« Reply #10 on: May 15, 2008, 09:43:25 PM »
Here is the OTMove log :
C:\Program Files\q330994.exe moved successfully.
C:\WINDOWS\cvchost.exe moved successfully.
C:\WINDOWS\egcng.dat moved successfully.
C:\WINDOWS\givip.dat moved successfully.
C:\WINDOWS\msstasks.exe moved successfully.
C:\WINDOWS\mssys.com moved successfully.
C:\WINDOWS\mstaskss.exe moved successfully.
C:\WINDOWS\msxmidi.exe moved successfully.
C:\WINDOWS\ntldr.exe moved successfully.
C:\WINDOWS\rocky.exe moved successfully.
C:\WINDOWS\seksdialer.exe moved successfully.
C:\WINDOWS\vjrkb.dat moved successfully.
C:\WINDOWS\vsdbk.dat moved successfully.
C:\WINDOWS\worst.dat moved successfully.
C:\WINDOWS\system\system.exe moved successfully.
C:\WINDOWS\system\wmscrop.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\d2kpax.dll
C:\WINDOWS\system32\d2kpax.dll NOT unregistered.
C:\WINDOWS\system32\d2kpax.dll moved successfully.
C:\WINDOWS\system32\d2kpax.exe moved successfully.
C:\WINDOWS\system32\dntwj.dat moved successfully.
C:\WINDOWS\system32\hahhu.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\jac.dll NOT unregistered.
C:\WINDOWS\system32\jac.dll moved successfully.
C:\WINDOWS\system32\lmzri.dat moved successfully.
C:\WINDOWS\system32\lqvef.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\msxslab.dll
C:\WINDOWS\system32\msxslab.dll NOT unregistered.
C:\WINDOWS\system32\msxslab.dll moved successfully.
C:\WINDOWS\system32\qjeuv.dat moved successfully.
C:\Temp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hijnffgr.dll
C:\WINDOWS\system32\hijnffgr.dll NOT unregistered.
C:\WINDOWS\system32\hijnffgr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vwnbyduq.dll
C:\WINDOWS\system32\vwnbyduq.dll NOT unregistered.
C:\WINDOWS\system32\vwnbyduq.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\ktkuqcrk.dll
C:\WINDOWS\system32\ktkuqcrk.dll NOT unregistered.
C:\WINDOWS\system32\ktkuqcrk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iorvuhgh.dll
C:\WINDOWS\system32\iorvuhgh.dll NOT unregistered.
C:\WINDOWS\system32\iorvuhgh.dll moved successfully.
C:\WINDOWS\BM348c2f85.xml moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\fccdcBQI.dll
C:\WINDOWS\system32\fccdcBQI.dll NOT unregistered.
C:\WINDOWS\system32\fccdcBQI.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\yayxvWMg.dll
C:\WINDOWS\system32\yayxvWMg.dll NOT unregistered.
C:\WINDOWS\system32\yayxvWMg.dll moved successfully.
 
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05152008_214624
Logged

Offline Chris24

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
trojan infected..pls help, HyjackThis log
« Reply #11 on: May 15, 2008, 09:44:39 PM »
Following is Hyjack This Log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:37 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YUM\yum.exe
C:\Program Files\EditPlus 2\editplus.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-3943393980-1111375530-1268058753-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Malathi')
O4 - HKUS\S-1-5-21-3943393980-1111375530-1268058753-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Malathi')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: www.pctools.com
O15 - Trusted Zone: http://yahoo.sbc.com
O15 - Trusted Zone: smithlink.smith.com
O15 - Trusted Zone: www.corp.smith.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157908995765
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/v_mywebe...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9631 bytes


Please advise.
Thank you very much for helping me out.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
trojan infected..pls help, HyjackThis log
« Reply #12 on: May 15, 2008, 10:28:03 PM »
Looks good

How's everything running now?

Did you manually add these entries to your Trusted Sites in IE?
O15 - Trusted Zone: www.pctools.com
O15 - Trusted Zone: http://yahoo.sbc.com
O15 - Trusted Zone: smithlink.smith.com
O15 - Trusted Zone: www.corp.smith.com
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Chris24

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
trojan infected..pls help, HyjackThis log
« Reply #13 on: May 16, 2008, 10:32:30 PM »
Yes I had added those entries.

Thank you verymuch for your hep. It looks fine now.

As a small token of my appreciation, I have made a small payment to your paypal account.

Thank you once again.

 

 

Also, Can you pls advise me some software that I can install to not get into this mess again.

I have stopped logging in using my admin account unless its required.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
trojan infected..pls help, HyjackThis log
« Reply #14 on: May 17, 2008, 05:56:18 PM »
Thank you very much for the donation

You can open Malwarebyte's Antimalware and remove all entries from the Quarantine section
Your choice to Uninstall Malwarebyte's Antimalware from Add and Remove Programs
or hold onto it, your option

Go to START>>RUN>>Copy and paste the next bold entry

ComboFix /u
Hit OK
This will uninstall ComboFix and it's components

OTMoveit2.exe
  • Double-click OTMoveIt2.exe to run it.
  • Click the Cleanup! button
    A list will be downloaded>>Allow it Internet access if prompted by your Firewall
    Don't change anything in this list
  • Select Yes at the prompt
    Wait for the confirmation box to open to reboot the computer
    Don't mouseclick during the wait as you may cause the tool to stall
  • Select Yes to reboot Now
NOTE: This procedure will also delete OTMoveit.exe from desktop

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster  by JavaCool  
    *Will block bad ActiveX Controls
    *Block Malevolent cookies in Internet Explorer and Firefox
    *Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

Take a look at miekiemoes site with other ideas on How to prevent Malware:

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
« Last Edit: May 17, 2008, 05:56:34 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
trojan infected..pls help, HyjackThis log
« Reply #15 on: July 06, 2008, 08:02:08 PM »
I'll lock this topic as your problems appear resolved
Take care
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »