Author Topic: Hijack this log (Read 531 times)

sporty_874 · « **on:** May 26, 2008, 09:03:52 PM »

[color=\"#0000ff\"]Kind of unsure as to what I sould delete off this list after scanning computer with HijackThis.
Get an outrageous amount of pop-up ads and desktop background has been changed to read "Warning! Spyware detected on your PC" Any help as to where to go from here would greatly be appreciated.[/color]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:32 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\kifi\kifim .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QdrModule\QdrModule16.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\COMMON~1\kifi\kifia.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {477840F3-BA52-44D9-8E41-38D61CAA010F} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [fc42089a] rundll32.exe "C:\WINDOWS\system32\pokiifgr.dll",b
O4 - HKLM\..\Run: [BMff713b06] Rundll32.exe "C:\WINDOWS\system32\fwxfwykd.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA4659] command /c del "C:\Program Files\AMSys\guid.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC915] cmd /c del "C:\Program Files\AMSys\guid.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8432] command /c del "C:\Program Files\AMSys\ijl15.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7690] cmd /c del "C:\Program Files\AMSys\ijl15.dll"
O4 - HKCU\..\Run: [Kjhnlf] C:\WINDOWS\system32\?ppPatch\w?nspool.exe
O4 - HKCU\..\Run: [kifi] C:\PROGRA~1\COMMON~1\kifi\kifim .exe
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: xxywwus - xxywwus.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6652 bytes

guestolo · « **Reply #1 on:** May 26, 2008, 09:20:07 PM »

Can you do the following for me please
Download this file - Combofix.exe and save it ONLY to your desktop

Don't run it yet
Physically disconnect the internet cable connection to your computer

Afterwards
Double click combofix.exe & follow the prompts.
Click YES to allow to run when prompted, normally this fix takes anywhere from 10 to 30 minutes
You may see a prompt that ComboFix needs to reboot the computer
Allow it too, even if it appears that it stalls
Back in Windows, ComboFix will run again, then continue to create a log, this can take a few minutes
Let it run uninterrupted please
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

After ComboFix runs, and after it's log opens
Connect Internet cable, if you have no Internet connection
Simply reboot your computer

Post back the log from ComboFix along with a fresh hijackthis log
The default location for the combofix log is C:\combofix.txt

sporty_874 · « **Reply #2 on:** May 27, 2008, 04:19:51 PM »

ComboFix 08-05-27.3 - Ryan 2008-05-27 16:13:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.284 [GMT -5:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
* Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\Ryan\Application Data\MCROSO~1.NET
C:\Documents and Settings\Ryan\Application Data\MCROSO~1.NET\M?crosoft.NET\
C:\Documents and Settings\Ryan\My Documents\DOBE~1
C:\Documents and Settings\Ryan\My Documents\DOBE~1\wowexec .exe
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\kifi
C:\Program Files\Common Files\kifi\kifia.exe
C:\Program Files\Common Files\kifi\kifia.lck
C:\Program Files\Common Files\kifi\kifid\class-barrel
C:\Program Files\Common Files\kifi\kifid\kific.dll
C:\Program Files\Common Files\kifi\kifid\vocabulary
C:\Program Files\Common Files\kifi\kifih
C:\Program Files\Common Files\kifi\kifil.exe
C:\Program Files\Common Files\kifi\kifil.lck
C:\Program Files\Common Files\kifi\kifim .exe
C:\Program Files\Common Files\kifi\kifim.lck
C:\Program Files\Common Files\kifi\kifip.exe
C:\Program Files\Common Files\sks~1
C:\Program Files\CPV
C:\Program Files\CPV\CPV7.dll
C:\Program Files\DioCleaner
C:\Program Files\DioCleaner\stat.bin
C:\Program Files\DioCleaner\uninstall.exe
C:\Program Files\DioCleaner\uninstall.log
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\Insider
C:\Program Files\Insider\Insider .exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore .exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrModule\QdrModule12 .exe
C:\Program Files\QdrModule\QdrModule16.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\carkazupd.exe
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\dictys.gz
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\QdrPack12 .exe
C:\Program Files\QdrPack\QdrPack12.exe
C:\Program Files\QdrPack\QdrPack14 .exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\QdrPack\stixpupd.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\Program Files\Router
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable .exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\BMff713b06.xml
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kifi
C:\WINDOWS\kifi\kifi.dat
C:\WINDOWS\kifi\wu
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\pskt.ini
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\immseujc.ini
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\orykojps.ini
C:\WINDOWS\system32\pklcbpin.ini
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\rgfiikop.ini
C:\WINDOWS\system32\srqbmimq.ini
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 15:32 . 2008-05-27 15:32   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-05-27 15:25 . 2008-05-27 15:25   <DIR>   d--------   C:\Program Files\Uniblue
2008-05-27 15:25 . 2008-05-27 15:25   <DIR>   d--------   C:\Documents and Settings\Ryan\Application Data\Uniblue
2008-05-27 14:59 . 2008-05-27 15:00   <DIR>   d--------   C:\Documents and Settings\Ryan\Application Data\U3
2008-05-27 14:50 . 2008-05-27 14:50   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 21:34 . 2008-05-26 21:34   <DIR>   d--------   C:\Documents and Settings\Administrator
2008-05-26 19:59 . 2008-05-26 21:58   490   --a------   C:\WINDOWS\wininit.ini
2008-05-26 18:36 . 2008-05-26 19:12   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-05-26 18:36 . 2008-05-26 19:12   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 18:32 . 2008-05-26 18:32   <DIR>   d--------   C:\Program Files\Trend Micro
2008-05-06 09:33 . 2001-08-17 13:48   12,160   --a------   C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-06 09:33 . 2001-08-17 13:48   12,160   --a--c---   C:\WINDOWS\system32\dllcache\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 20:58   18,432   ----a-w   C:\WINDOWS\fkwggshm.exe
2008-03-30 02:12   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\DIGStream
2008-03-30 02:10   ---------   d-----w   C:\Program Files\QuickTime
2008-03-30 02:10   ---------   d-----w   C:\Program Files\iTunes
2008-03-30 02:10   ---------   d-----w   C:\Program Files\ESPNRunTime
2008-03-30 02:10   ---------   d-----w   C:\Program Files\Dot1XCfg
2008-03-30 02:10   ---------   d-----w   C:\Program Files\DIGStream
2008-03-30 02:10   ---------   d-----w   C:\Program Files\Dell AIO Printer A940
2008-03-27 14:04   379,904   ----a-w   C:\WINDOWS\mrofinu72.exe.tmp
2008-01-18 21:31   66,048   ----a-w   C:\Documents and Settings\All Users\Application Data\wzyrqjwp.dll
2005-08-02 22:46   187,904   --sha-r   C:\WINDOWS\Unlhbg\asappsrv.dll
2005-08-02 22:58   293,888   --sha-r   C:\WINDOWS\Unlhbg\command.exe
2005-07-29 22:24   472   --sha-r   C:\WINDOWS\Unlhbg\oB51v0.vbs
.

Code: [Select]

<pre>
----a-w		   180,269 2008-03-30 02:10:26  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			86,102 2008-03-30 02:10:23  C:\Program Files\Dell AIO Printer A940\dlbabmgr .exe
----a-w		   278,528 2008-03-30 02:10:34  C:\Program Files\DIGStream\digstream .exe
----a-w			61,440 2008-03-30 02:10:35  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w		   101,888 2008-03-30 02:11:33  C:\Program Files\ESPNRunTime\DIGServices .exe
----a-w		   278,528 2008-03-27 14:04:25  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 1,694,208 2008-03-30 02:10:41  C:\Program Files\Messenger\MSMSGS .EXE
----a-w		   524,288 2008-03-27 14:04:20  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   524,288 2008-03-27 13:53:14  C:\Program Files\QuickTime\qttask				.exe
----a-w		   524,288 2008-02-07 20:29:54  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   524,288 2008-02-03 19:06:53  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   524,288 2008-02-03 18:49:36  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   524,288 2008-01-31 21:33:31  C:\Program Files\QuickTime\qttask			.exe
----a-w		   524,288 2008-01-19 17:33:46  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   524,288 2008-01-19 07:38:45  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   524,288 2008-01-18 16:42:52  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   524,288 2008-01-18 05:38:58  C:\Program Files\QuickTime\qttask		.exe
----a-w		   524,288 2008-01-18 05:25:22  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   524,288 2008-01-10 21:17:54  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   524,288 2007-12-31 14:40:20  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   524,288 2007-12-24 17:45:21  C:\Program Files\QuickTime\qttask	.exe
----a-w		   524,288 2007-12-24 17:39:11  C:\Program Files\QuickTime\qttask   .exe
----a-w		   524,288 2007-12-23 21:00:22  C:\Program Files\QuickTime\qttask  .exe
----a-w		   524,288 2007-12-23 17:39:38  C:\Program Files\QuickTime\qttask .exe
----a-w		   684,032 2008-03-30 02:10:31  C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kjhnlf"="C:\WINDOWS\system32\?ppPatch\w?nspool.exe" [ ]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]
"QdrPack16"="C:\Program Files\QdrPack\QdrPack16.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-12-06 20:25 1910040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 15:44 128648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 03:47:22 151552]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMff713b06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fc42089a]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-04-24 17:58 4616192 C:\WINDOWS\System32\NvCpl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Morpheus Ultra\\Morpheus.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 16:17:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-27 16:21:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 21:21:25

Pre-Run: 51,396,366,336 bytes free
Post-Run: 53,125,754,880 bytes free

342 --- E O F --- 2008-05-27 02:32:53

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:22 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKCU\..\Run: [Kjhnlf] C:\WINDOWS\system32\?ppPatch\w?nspool.exe
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3306 bytes

guestolo · « **Reply #3 on:** May 28, 2008, 12:45:56 AM »

==Open notepad
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]File::
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\Documents and Settings\All Users\Application Data\wzyrqjwp.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\QuickTime\qttask .exe
Folder::
C:\WINDOWS\Unlhbg
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kjhnlf"=-
"QdrModule16"=-
"QdrPack16"=-
"Uniblue RegistryBooster 2"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMff713b06]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fc42089a]
RenV::
C:\Program Files\Dell AIO Printer A940\dlbabmgr .exe
C:\Program Files\DIGStream\digstream .exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\ESPNRunTime\DIGServices .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Messenger\MSMSGS .EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe

[/color]
Save this as txtfile on your desktop
name it:
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts

Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Take notice: Combofix may prompt that the computer needs to reboot, don't interrupt it
Allow it too

When finished, it shall produce a log for you with the Same name C:\ComboFix.txt..
I'll need to see that log later

Afterwards:
Download [color=\"#FF0000\"]RenV[/color] by sUBs.

1. Save it to your Desktop.
2. Double-click RenV.exe
3. It shall produce a log for you. Please post that log in your reply.

Along with the following

1. Post the log from ComboFix
2. Post a fresh Hijackthis log

guestolo · « **Reply #4 on:** July 06, 2008, 08:07:27 PM »

Since the original poster has not returned, I'll lock this topic

TheTechGuide Forum

News:

Author Topic: Hijack this log (Read 531 times)

sporty_874

Hijack this log

guestolo

Hijack this log

sporty_874

Hijack this log

guestolo

Hijack this log

guestolo

Hijack this log