Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 63
  1. #31
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    FLH, can you disregard Bryan's advice for a moment? Just doing those logs now. Sorry Bryan, no offence!

  2. #32
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    OK - There are a couple of infected files still left on your PC. Should be fairly easy to remove if you follow these instructions carefully (you might like to print it out):
    1. Download and run ATF-Cleaner. Tick Select All and then click Empty Selected. Note at the top of the program there is a Firefox option. Click that and do the same. You can deselect passwords if you like.
    2. In the hard drive where you have "Force Commander" set up, download the attached CFScript.zip file, unzip it and then drag-and-drop CFScript onto ComboFix. ComboFix will then run. Post the new log here.
    3. Also on the "Force Commander" drive, RENAME HijackThis and then run it and post the log here.
    4. Log into your other Windows installation and run both Combofix and HijackThis and post the logs here.
    5. Disable and re-enable System Restore in both Windows installations. Instructions can be found here.
    6. Scan these files on VirusTotal (and let me know if they're dodgy):
      c:\program files\mozilla firefox\components\browserdirprovider(2).dll
      c:\program files\mozilla firefox\components\browserdirprovider.dll (if it exists)
      c:\program files\mozilla firefox\components\brwsrcmp(2).dll
      c:\program files\mozilla firefox\components\brwsrcmp.dll (if it exists)
    7. Tell me what's in the folder c:\program files\nKast - are you familiar with whatever it is?
    Last edited by Mjölnir; 01-16-2009 at 08:13 AM.

  3. #33
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    I ran ATF Cleaner on both users.

    Then I ran combofix as instructed on the "Force Commander" user which is the administrative user. Im not sure if I should do it on the "David" too since thats the account I use regularly. In any case, heres the log.

    ComboFix 09-01-16.02 - Force Commander 2009-01-16 14:47:18.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1639 [GMT -8:00]
    Running from: c:\documents and settings\Force Commander\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Force Commander\Desktop\CFScript
    * Created a new restore point

    FILE ::
    c:\documents and settings\Force Commander\Local Settings\Temp\tmpD.tmp
    c:\windows\system32\drivers\gaopdxdltimrsv.sys
    c:\windows\Tasks\Antispyware Scheduled Scan.job
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Force Commander\Application Data\Antispyware
    c:\documents and settings\Force Commander\Application Data\Antispyware\Log\2009 Jan 14 - 10_29_29 PM_406.log
    c:\documents and settings\Force Commander\Application Data\Antispyware\rs.dat
    c:\documents and settings\Force Commander\Application Data\Antispyware\Settings\ScanResults.pie
    c:\windows\Tasks\Antispyware Scheduled Scan.job

    .
    ((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
    .

    2009-01-16 14:36 . 2009-01-16 14:36 <DIR> d-------- C:\TEMP
    2009-01-15 10:50 . 2009-01-15 10:50 <DIR> d-------- c:\program files\Trend Micro
    2009-01-15 01:11 . 2009-01-15 01:11 73,216 --a------ c:\windows\system32\drivers\gaopdxsvpiaswn.sys
    2009-01-14 22:39 . 2009-01-14 22:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-01-14 21:49 . 2009-01-14 21:49 73,216 --a------ c:\windows\system32\drivers\gaopdxumpmaail.sys
    2009-01-14 00:19 . 2009-01-14 00:19 <DIR> d-------- c:\program files\File Scavenger 3.0
    2009-01-14 00:12 . 2009-01-14 00:12 <DIR> d-------- c:\program files\uTorrent
    2009-01-14 00:12 . 2009-01-14 00:18 <DIR> d-------- c:\documents and settings\David\Application Data\uTorrent
    2009-01-13 23:50 . 2009-01-14 12:43 73,728 --a------ c:\windows\system32\drivers\gaopdxxtfmlwxv.sys
    2009-01-13 11:55 . 2009-01-13 11:55 <DIR> d-------- c:\program files\Promise Technology, Inc
    2009-01-13 11:55 . 2009-01-13 11:55 <DIR> d-------- c:\program files\Promise
    2009-01-13 11:55 . 2003-11-05 18:06 110,592 --a------ c:\windows\system32\ulutil2.dll
    2009-01-13 11:55 . 2006-04-06 17:52 108,544 --a------ c:\windows\system32\drivers\ulsata2.sys
    2009-01-13 11:55 . 2003-11-05 08:45 17,408 --a------ c:\windows\system32\drivers\bb-run.sys
    2009-01-13 11:55 . 2004-06-29 14:25 7,680 --a------ c:\windows\system32\drivers\dontgo.sys
    2009-01-05 21:17 . 2009-01-13 21:57 <DIR> d-------- C:\Downloads
    2009-01-05 16:34 . 2009-01-05 16:34 <DIR> d-------- c:\program files\Western Digital
    2009-01-05 16:24 . 2009-01-14 21:52 <DIR> d-------- c:\windows\system32\NtmsData
    2009-01-04 03:37 . 2009-01-04 04:53 <DIR> d-------- c:\program files\Super DVD Ripper
    2009-01-04 02:36 . 2009-01-04 02:36 <DIR> d-------- C:\WinFast WorkArea
    2009-01-02 13:32 . 2009-01-02 13:33 <DIR> d-------- C:\WFDB
    2009-01-02 13:32 . 2009-01-02 13:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
    2009-01-02 13:32 . 2001-12-19 15:47 49,152 --a------ c:\windows\system32\TempDel.EXE
    2009-01-02 13:32 . 2005-01-06 16:55 9,446 --a------ c:\windows\system32\drivers\WFIOCTL.sys
    2009-01-02 13:25 . 2005-06-28 09:24 163,584 --a------ c:\windows\system32\drivers\cx88vid.sys
    2009-01-02 13:24 . 2009-01-02 13:24 <DIR> d-------- c:\windows\system32\WinFox
    2009-01-02 13:24 . 2009-01-02 13:25 <DIR> d-------- c:\windows\system32\WinFast
    2009-01-02 13:24 . 2005-03-25 18:24 9,600 --a------ c:\windows\system32\drivers\WINFOXIO.sys
    2009-01-02 13:14 . 2009-01-02 13:14 799 --a------ c:\windows\system\Cmicnfgp.ini
    2009-01-02 12:39 . 2009-01-02 12:39 <DIR> d-------- c:\program files\Common Files\Ulead Systems
    2009-01-02 12:37 . 2009-01-02 12:37 <DIR> d-------- c:\program files\WinFast
    2009-01-02 12:33 . 2009-01-02 12:33 <DIR> d-------- C:\WinFast
    2009-01-02 12:33 . 2009-01-02 13:25 <DIR> d-------- c:\windows\system32\DX9
    2009-01-02 00:18 . 2009-01-02 00:18 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Red Alert 3
    2008-12-29 17:49 . 2008-12-29 17:49 <DIR> d-------- c:\program files\eBay
    2008-12-29 17:49 . 2008-12-29 17:49 <DIR> d-------- c:\documents and settings\All Users\eBay
    2008-12-28 22:52 . 2008-12-28 22:52 <DIR> d-------- c:\program files\Combined Community Codec Pack
    2008-12-28 20:00 . 2009-01-15 15:27 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-12-26 19:57 . 2008-12-26 19:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seagate
    2008-12-26 19:56 . 2008-12-26 19:56 <DIR> d-------- c:\program files\Seagate
    2008-12-26 19:56 . 2008-12-26 19:56 441,760 --a------ c:\windows\system32\drivers\timntr.sys
    2008-12-26 19:56 . 2008-12-26 19:56 368,480 --a------ c:\windows\system32\drivers\tdrpman.sys
    2008-12-26 19:56 . 2008-12-26 19:56 132,224 --a------ c:\windows\system32\drivers\snapman.sys
    2008-12-26 19:56 . 2008-12-26 19:56 44,384 --a------ c:\windows\system32\drivers\tifsfilt.sys
    2008-12-24 19:41 . 2008-12-24 19:41 <DIR> d---s---- c:\documents and settings\David\UserData
    2008-12-24 19:02 . 2008-12-24 19:02 <DIR> d-------- c:\documents and settings\David\Application Data\FastStone
    2008-12-24 16:42 . 2008-12-24 16:42 <DIR> d-------- c:\documents and settings\David\Application Data\dvdcss
    2008-12-23 19:10 . 2008-12-23 19:10 <DIR> d-------- c:\documents and settings\David\Application Data\Red Alert 3
    2008-12-23 18:54 . 2008-12-23 18:54 <DIR> d-------- c:\windows\Logs
    2008-12-23 18:54 . 2008-12-23 18:54 <DIR> d-------- c:\program files\Electronic Arts
    2008-12-23 18:54 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
    2008-12-23 18:54 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
    2008-12-23 18:54 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
    2008-12-23 18:54 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
    2008-12-23 18:54 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
    2008-12-23 18:54 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
    2008-12-23 18:53 . 2008-12-23 19:04 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\DAEMON Tools
    2008-12-23 18:52 . 2008-12-23 18:52 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Aim
    2008-12-21 22:32 . 2008-12-21 22:32 <DIR> d-------- c:\program files\Common Files\Adobe
    2008-12-21 22:31 . 2009-01-02 13:00 <DIR> d-------- c:\documents and settings\Administrator
    2008-12-21 22:14 . 2008-12-21 22:14 <DIR> d-------- c:\program files\Common Files\Adobe AIR
    2008-12-21 22:11 . 2008-12-21 22:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe(2)
    2008-12-21 22:10 . 2008-12-21 22:11 <DIR> d-------- c:\program files\Common Files\Adobe(2)
    2008-12-20 21:20 . 2008-12-20 21:20 <DIR> d-------- c:\documents and settings\David\Application Data\Creative
    2008-12-20 11:04 . 2008-12-20 11:04 <DIR> d-------- c:\documents and settings\David\Application Data\vlc
    2008-12-20 11:00 . 2008-12-20 11:00 <DIR> d-------- c:\program files\Winamp
    2008-12-20 11:00 . 2008-12-20 11:02 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Winamp
    2008-12-20 10:58 . 2008-12-20 11:02 <DIR> d-------- c:\documents and settings\David\Application Data\Winamp
    2008-12-20 01:04 . 2008-12-20 01:04 <DIR> d-------- c:\documents and settings\David\Application Data\Media Player Classic
    2008-12-19 07:52 . 2008-12-21 12:31 <DIR> d-------- c:\windows\system32\CatRoot_bak
    2008-12-18 21:48 . 2008-12-18 21:48 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\FaxCtr
    2008-12-18 21:48 . 2008-12-18 21:48 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\DivX
    2008-12-18 21:48 . 2008-12-18 21:48 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\ASUS
    2008-12-18 21:48 . 2009-01-02 13:00 <DIR> d-------- c:\documents and settings\Force Commander
    2008-12-18 21:48 . 2009-01-16 14:40 116 --a------ c:\windows\NeroDigital.ini
    2008-12-18 19:47 . 2008-12-18 19:47 <DIR> d-------- c:\documents and settings\David\Application Data\FaxCtr
    2008-12-18 19:47 . 2008-12-18 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Creative
    2008-12-18 18:51 . 2008-12-18 18:51 <DIR> d-------- c:\program files\AVG
    2008-12-18 18:51 . 2009-01-15 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2008-12-18 18:44 . 2009-01-16 14:50 <DIR> d-------- c:\program files\lx_cats

  4. #34
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    2008-12-18 18:43 . 2008-12-18 19:41 <DIR> d-------- c:\program files\Lexmark Fax Solutions
    2008-12-18 18:43 . 2008-12-18 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\FaxCtr
    2008-12-18 18:43 . 2008-08-14 02:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
    2008-12-18 18:43 . 2008-08-14 01:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
    2008-12-18 18:43 . 2008-08-14 01:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
    2008-12-18 18:43 . 2008-08-14 01:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
    2008-12-18 18:43 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
    2008-12-18 18:43 . 2005-12-23 06:18 339,968 --a------ c:\windows\system32\IMGMAN32.DLL
    2008-12-18 18:43 . 2005-12-23 06:18 98,345 --a------ c:\windows\system32\IMHOST32.DLL
    2008-12-18 18:43 . 2005-12-23 06:18 98,304 --a------ c:\windows\system32\IM31XPNG.DEL
    2008-12-18 18:43 . 2005-12-23 06:18 69,632 --a------ c:\windows\system32\IM31XTIF.DEL
    2008-12-18 18:43 . 2005-12-23 06:18 49,152 --a------ c:\windows\system32\IM31IMG.DIL
    2008-12-18 18:43 . 2006-02-02 00:26 12,288 --a------ c:\windows\system32\LXPMONRC.DLL
    2008-12-18 18:42 . 2008-12-18 18:42 <DIR> d-------- c:\program files\Lexmark Toolbar
    2008-12-18 18:42 . 2008-12-18 18:44 <DIR> d-------- c:\program files\Lexmark 3400 Series
    2008-12-18 18:42 . 2008-12-18 18:42 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint
    2008-12-18 18:37 . 2005-06-28 10:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
    2008-12-18 18:36 . 2008-12-18 19:36 <DIR> d--h----- c:\windows\$hf_mig$
    2008-12-18 18:30 . 2004-07-20 17:24 1,568,768 --------- c:\windows\system32\ImagX7.dll
    2008-12-18 18:30 . 2004-07-20 17:24 476,320 --------- c:\windows\system32\ImagXpr7.dll
    2008-12-18 18:30 . 2004-07-20 17:24 471,040 --------- c:\windows\system32\ImagXRA7.dll
    2008-12-18 18:30 . 2004-07-09 09:43 364,544 --------- c:\windows\system32\TwnLib4.dll
    2008-12-18 18:30 . 2004-07-20 17:24 262,144 --------- c:\windows\system32\ImagXR7.dll
    2008-12-18 18:30 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
    2008-12-18 18:30 . 2001-06-26 08:15 38,912 --------- c:\windows\system32\picn20.dll
    2008-12-18 18:29 . 2008-12-18 18:31 <DIR> d-------- c:\program files\Common Files\Ahead
    2008-12-18 18:29 . 2008-12-18 18:30 <DIR> d-------- c:\program files\Ahead
    2008-12-18 18:29 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
    2008-12-18 18:16 . 2008-12-18 18:16 <DIR> d--h----- c:\program files\Creative Installation Information
    2008-12-18 18:16 . 2008-12-18 18:16 <DIR> d-------- c:\program files\Common Files\Creative
    2008-12-18 18:16 . 1999-12-13 09:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE
    2008-12-18 18:16 . 1999-11-18 09:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE
    2008-12-18 18:15 . 2008-12-18 18:16 <DIR> d-------- c:\program files\Creative
    2008-12-18 18:14 . 2008-12-20 17:40 <DIR> d-------- c:\documents and settings\David\Application Data\DivX
    2008-12-18 18:13 . 2008-12-18 18:13 <DIR> d-------- c:\program files\Vodei
    2008-12-18 18:13 . 2008-12-18 18:13 <DIR> d-------- c:\program files\DirectVobSub
    2008-12-18 18:12 . 2008-12-18 18:12 <DIR> d-------- c:\program files\VideoLAN
    2008-12-18 18:12 . 2008-12-18 18:12 <DIR> d-------- c:\program files\Gabest
    2008-12-18 18:11 . 2008-12-18 18:11 <DIR> d-------- c:\program files\eRightSoft
    2008-12-18 18:10 . 2009-01-16 14:44 <DIR> d-------- c:\program files\Steam
    2008-12-18 18:10 . 2008-12-18 18:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2008-12-18 18:10 . 2008-12-25 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-12-18 18:09 . 2008-12-18 18:09 <DIR> d-------- c:\program files\Real Alternative
    2008-12-18 18:09 . 2008-12-18 18:09 <DIR> d-------- c:\program files\nKast
    2008-12-18 18:09 . 2008-12-18 18:09 <DIR> d-------- c:\program files\ImgBurn

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-02 21:14 413,696 ----a-w c:\windows\system32\wrap_oal.dll
    2009-01-02 21:14 102,400 ----a-w c:\windows\system32\OpenAL32.dll
    2008-12-19 00:55 --------- d-----w c:\program files\microsoft frontpage
    2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
    2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
    2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
    2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
    2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
    2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
    2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
    2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
    2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
    2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
    2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
    2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
    2008-11-05 20:23 49,152 ----a-r c:\windows\system32\inetwh32.dll
    2008-11-05 20:23 1,044,480 ----a-r c:\windows\system32\roboex32.dll
    2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
    2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
    2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
    2008-12-21 10:49 23,032 ----a-w c:\program files\mozilla firefox\components\browserdirprovider(2).dll
    2008-12-21 10:49 134,648 ----a-w c:\program files\mozilla firefox\components\brwsrcmp(2).dll
    2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
    .

  5. #35
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="c:\program files\AIM\aim.exe" [2004-03-12 61440]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
    "Cmaudio8788GX"="c:\windows\system\HsMgr.exe" [2008-07-11 200704]
    "DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2004-02-28 144896]
    "CTCheck"="c:\program files\Creative\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2006-01-25 286720]
    "EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2006-02-06 98304]
    "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
    "LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2005-12-01 65536]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2006-07-07 348160]
    "nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
    "PtiuPbmd"="ulutil2.dll" [2003-11-05 c:\windows\system32\ulutil2.dll]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=

    R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2009-01-13 7680]
    R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2009-01-13 108544]
    R3 cmudaxp;ASUS Xonar DX Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2008-12-18 1983424]
    R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
    R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2009-01-02 9446]
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\documents and settings\Force Commander\Application Data\Mozilla\Firefox\Profiles\wlta00p6.default\
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-16 14:49:55
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\CTSVCCDA.EXE
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\uwdf.exe
    c:\windows\system32\lxcycoms.exe
    .
    **************************************************************************
    .
    Completion time: 2009-01-16 14:51:09 - machine was rebooted [Force Commander]
    ComboFix-quarantined-files.txt 2009-01-16 22:51:07
    ComboFix2.txt 2009-01-16 04:26:38
    ComboFix3.txt 2009-01-15 23:58:21

    Pre-Run: 179,575,513,088 bytes free
    Post-Run: 179,562,647,552 bytes free

    250 --- E O F --- 2008-12-19 03:36:44

  6. #36
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Ok. I just ran hijack this. I renamed everything "sherlock". The install file, the install folder(s), the program itself.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:09:40 PM, on 1/16/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system\HsMgr.exe
    C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
    C:\Program Files\Lexmark 3400 Series\lxcymon.exe
    C:\Program Files\Lexmark 3400 Series\ezprint.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\lxcycoms.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Sherlock\Sherlock\Sherlock.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Cmaudio8788GX] C:\WINDOWS\system\HsMgr.exe Envoke
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 4789 bytes

  7. #37
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Those logs were on C:

    I am now going to log onto H: (The other windows install)

  8. #38
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    From H:

    ComboFix 09-01-16.02 - Force Commander 2009-01-16 15:27:18.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1687 [GMT -8:00]
    Running from: c:\documents and settings\Force Commander\Desktop\ComboFix.exe
    Command switches used :: h:\documents and settings\Force Commander\Desktop\CFScript
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
    * Created a new restore point

    FILE ::
    c:\documents and settings\Force Commander\Local Settings\Temp\tmpD.tmp
    c:\windows\system32\drivers\gaopdxdltimrsv.sys
    c:\windows\Tasks\Antispyware Scheduled Scan.job
    .

    ((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
    .

    2009-01-15 18:39 . 2009-01-15 18:39 <DIR> d-------- h:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2009-01-15 17:23 . 2009-01-15 17:23 <DIR> d-------- h:\windows\Sun
    2009-01-15 17:22 . 2009-01-15 17:22 <DIR> d-------- h:\program files\Java
    2009-01-15 17:22 . 2009-01-15 17:22 410,984 --a------ h:\windows\system32\deploytk.dll
    2009-01-15 17:22 . 2009-01-15 17:22 73,728 --a------ h:\windows\system32\javacpl.cpl
    2009-01-15 15:59 . 2009-01-15 15:59 <DIR> d-------- h:\documents and settings\Force Commander\WINDOWS
    2009-01-15 15:19 . 2009-01-15 15:19 <DIR> d-------- h:\documents and settings\Force Commander\Application Data\Malwarebytes
    2009-01-15 15:19 . 2009-01-14 16:11 38,496 --a------ h:\windows\system32\drivers\mbamswissarmy.sys
    2009-01-15 15:19 . 2009-01-14 16:11 15,504 --a------ h:\windows\system32\drivers\mbam.sys
    2009-01-15 15:18 . 2009-01-15 15:19 <DIR> d-------- h:\program files\Malwarebytes' Anti-Malware
    2009-01-15 15:18 . 2009-01-15 15:18 <DIR> d-------- h:\documents and settings\All Users\Application Data\Malwarebytes
    2009-01-15 15:06 . 2009-01-15 15:06 <DIR> d-------- h:\program files\Winamp
    2009-01-15 15:06 . 2009-01-15 15:06 <DIR> d-------- h:\documents and settings\Force Commander\Application Data\Winamp
    2009-01-15 15:03 . 2001-11-23 12:08 712,704 --a------ h:\windows\system32\Audio3Dp.dll
    2009-01-15 15:03 . 2001-08-17 22:36 98,304 --a--c--- h:\windows\system32\dllcache\a3d.dll
    2009-01-15 15:03 . 2001-08-17 22:36 98,304 --a------ h:\windows\system32\a3d.dll
    2009-01-15 15:03 . 2009-01-15 15:03 799 --a------ h:\windows\system\Cmicnfgp.ini
    2009-01-14 02:36 . 2009-01-14 02:36 <DIR> d--h----- H:\$AVG8.VAULT$
    2008-12-23 14:46 . 2008-12-23 14:46 <DIR> d-------- h:\windows\Logs
    2008-12-23 14:46 . 2008-12-23 14:46 <DIR> d-------- h:\program files\Electronic Arts
    2008-12-23 14:46 . 2008-05-30 14:11 3,850,760 --a------ h:\windows\system32\D3DX9_38.dll
    2008-12-23 14:46 . 2007-07-19 18:14 3,727,720 --a------ h:\windows\system32\d3dx9_35.dll
    2008-12-23 14:46 . 2008-05-30 14:11 1,491,992 --a------ h:\windows\system32\D3DCompiler_38.dll
    2008-12-23 14:46 . 2007-07-19 18:14 1,358,192 --a------ h:\windows\system32\D3DCompiler_35.dll
    2008-12-23 14:46 . 2008-05-30 14:11 467,984 --a------ h:\windows\system32\d3dx10_38.dll
    2008-12-23 14:46 . 2007-07-19 18:14 444,776 --a------ h:\windows\system32\d3dx10_35.dll
    2008-12-23 14:33 . 2008-12-23 14:33 <DIR> d-------- h:\program files\DAEMON Tools Lite
    2008-12-23 14:31 . 2008-12-23 14:31 717,296 --a------ h:\windows\system32\drivers\sptd.sys
    2008-12-23 14:29 . 2009-01-16 15:18 <DIR> d-------- h:\windows\system32\drivers\Avg
    2008-12-23 14:29 . 2008-12-23 14:29 <DIR> d-------- h:\program files\AVG
    2008-12-23 14:29 . 2009-01-16 15:21 <DIR> d-------- h:\documents and settings\All Users\Application Data\avg8
    2008-12-23 14:29 . 2008-12-23 14:29 97,928 --a------ h:\windows\system32\drivers\avgldx86.sys
    2008-12-23 14:29 . 2008-12-23 14:29 10,520 --a------ h:\windows\system32\avgrsstx.dll
    2008-12-18 15:31 . 2008-12-18 15:31 <DIR> d-------- h:\documents and settings\Force Commander\Application Data\Aim
    2008-12-18 15:24 . 2008-12-18 15:24 <DIR> d-------- h:\documents and settings\Force Commander\Application Data\ASUS
    2008-12-18 15:23 . 2008-12-23 14:29 <DIR> d-------- h:\documents and settings\Force Commander
    2008-12-18 00:40 . 2008-12-18 00:40 <DIR> d-------- h:\program files\Alarm
    2008-12-18 00:40 . 2000-05-21 23:00 647,872 --a------ h:\windows\system32\mscomct2.ocx
    2008-12-18 00:40 . 2000-05-21 23:00 140,488 --a------ h:\windows\system32\comdlg32.ocx
    2008-12-18 00:40 . 2001-04-16 19:31 61,440 --a------ h:\windows\system32\digitbox.ocx
    2008-12-18 00:36 . 2008-12-18 00:36 <DIR> d-------- h:\windows\Downloaded Installations
    2008-12-18 00:36 . 2008-12-18 00:36 <DIR> d-------- h:\program files\Viewpoint
    2008-12-18 00:36 . 2008-12-18 00:36 <DIR> d-------- h:\program files\AOD
    2008-12-18 00:36 . 2008-12-18 00:37 <DIR> d-------- h:\program files\AIM
    2008-12-18 00:36 . 2008-12-18 00:36 <DIR> d-------- h:\documents and settings\All Users\Application Data\Viewpoint
    2008-12-18 00:36 . 2002-12-18 14:46 344,064 --a------ h:\windows\system32\msvcr70.dll
    2008-12-17 23:49 . 2008-12-17 23:49 <DIR> d-------- h:\windows\OPTIONS
    2008-12-17 23:49 . 2008-12-17 23:49 <DIR> d-------- h:\program files\Realtek
    2008-12-17 23:49 . 2008-12-17 23:49 <DIR> d-------- h:\program files\Intel
    2008-12-17 23:49 . 2008-12-17 23:49 <DIR> d-------- h:\documents and settings\All Users\Application Data\Creative
    2008-12-17 23:49 . 2006-08-14 05:09 83,200 -ra------ h:\windows\system32\drivers\Rtenicxp.sys
    2008-12-17 23:48 . 2008-12-17 23:48 0 --a------ h:\windows\nsreg.dat
    2008-12-17 23:46 . 2008-12-17 23:46 <DIR> d-------- h:\program files\Lavasoft
    2008-12-17 23:46 . 2008-12-17 23:46 <DIR> d-------- h:\documents and settings\All Users\Application Data\Lavasoft

  9. #39
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Cont.
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-15 23:03 413,696 ----a-w h:\windows\system32\wrap_oal.dll
    2009-01-15 23:03 102,400 ----a-w h:\windows\system32\OpenAL32.dll
    2009-01-15 23:03 --------- d-----w h:\program files\ASUS Xonar DX Audio
    2008-12-18 07:49 --------- d--h--w h:\program files\InstallShield Installation Information
    2008-12-18 07:46 --------- d-----w h:\program files\Common Files\Wise Installation Wizard
    2008-12-09 03:36 --------- d-----w h:\program files\VideoLAN
    2008-12-06 17:08 --------- d--h--w h:\program files\Creative Installation Information
    2008-12-06 17:08 --------- d-----w h:\program files\Creative
    2008-12-06 17:08 --------- d-----w h:\program files\Common Files\Creative
    2008-12-06 17:03 --------- d-----w h:\program files\OpenAL
    2008-12-06 17:02 --------- d-----w h:\program files\Common Files\InstallShield
    2008-12-06 17:02 --------- d-----w h:\program files\AGEIA Technologies
    2008-12-06 16:54 --------- d-----w h:\program files\microsoft frontpage
    2008-11-12 21:45 453,152 ----a-w h:\windows\system32\NVUNINST.EXE
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="h:\program files\AIM\aim.exe" [2004-03-12 61440]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
    "NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
    "Cmaudio8788GX"="h:\windows\system\HsMgr.exe" [2008-07-11 200704]
    "CTCheck"="h:\program files\Creative\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
    "DeadAIM"="h:\progra~1\AIM\\DeadAIM.ocm" [2004-02-28 144896]
    "AVG8_TRAY"="h:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-23 1261336]
    "SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
    "nwiz"="nwiz.exe" [2008-11-12 h:\windows\system32\nwiz.exe]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "h:\\Program Files\\AIM\\aim.exe"=
    "h:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2008-12-23 97928]
    R3 cmudaxp;ASUS Xonar DX Audio Interface;h:\windows\system32\drivers\cmudaxp.sys [2008-12-06 2019456]
    S3 avg8wd;AVG Free8 WatchDog;h:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-23 231704]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Cmaudio8788 - cmicnfgp.cpl


    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - h:\documents and settings\Force Commander\Application Data\Mozilla\Firefox\Profiles\4wpszh6b.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - component: h:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-16 15:29:25
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    h:\windows\system32\CTSVCCDA.EXE
    h:\program files\Java\jre6\bin\jqs.exe
    h:\windows\system32\nvsvc32.exe
    h:\windows\system32\wdfmgr.exe
    h:\windows\system32\rundll32.exe
    h:\program files\ASUS Xonar DX Audio\CustomApp\Program\AsusAudioCenter.exe
    h:\windows\system32\wscntfy.exe
    h:\windows\system32\uwdf.exe
    h:\combofix\hidec.exe
    h:\combofix\Catchme.tmp
    .
    **************************************************************************
    .
    Completion time: 2009-01-16 15:31:19 - machine was rebooted [Force Commander]
    ComboFix-quarantined-files.txt 2009-01-16 23:30:02

    Pre-Run: 91,816,456,192 bytes free
    Post-Run: 91,862,880,256 bytes free

    149

  10. #40
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Hijack this on H:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:34:37 PM, on 1/16/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    H:\WINDOWS\System32\smss.exe
    H:\WINDOWS\system32\winlogon.exe
    H:\WINDOWS\system32\services.exe
    H:\WINDOWS\system32\lsass.exe
    H:\WINDOWS\system32\svchost.exe
    H:\WINDOWS\System32\svchost.exe
    H:\WINDOWS\system32\spoolsv.exe
    H:\WINDOWS\system32\CTsvcCDA.exe
    H:\Program Files\Java\jre6\bin\jqs.exe
    H:\WINDOWS\system32\nvsvc32.exe
    H:\WINDOWS\system32\RUNDLL32.EXE
    H:\PROGRA~1\AVG\AVG8\avgtray.exe
    H:\Program Files\ASUS Xonar DX Audio\Customapp\Program\ASUSAUDIOCENTER.EXE
    H:\Program Files\Java\jre6\bin\jusched.exe
    H:\Program Files\AIM\aim.exe
    H:\WINDOWS\system32\wscntfy.exe
    H:\WINDOWS\system32\wuauclt.exe
    H:\WINDOWS\system32\notepad.exe
    H:\WINDOWS\explorer.exe
    H:\Program Files\Sherlock\Sherlock.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Cmaudio8788GX] H:\WINDOWS\system\HsMgr.exe Envoke
    O4 - HKLM\..\Run: [CTCheck] H:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "H:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [AIM] H:\Program Files\AIM\aim.exe -cnetwait.odl
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - H:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - H:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 3818 bytes
    Im going to run ATF cleaner on H:, then disable system restore, then go over to C: to continue.

  11. #41
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Ok, all 4 files are 0/38(39)

    nKast is the folder for "Pandora's Shoqbox", which is the software I use to manage my Philips Shoqbox, a portable speaker/storage.

    http://pandorasshoqbox.sourceforge.net/

  12. #42
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Should I install kaspersky free trial and run that? I tried the online one but it crashed at 10%. It did detect 2 objects in one of my storage drives however.

    Thats strange. i cant install kaspersky. It says AVG8 is still installed but I uninstalled it.
    Last edited by fatlazyhomer; 01-17-2009 at 06:05 AM.

  13. #43
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    Quote Originally Posted by fatlazyhomer View Post
    I ran ATF Cleaner on both users.
    Good That'll delete demp files for those users.

    Quote Originally Posted by fatlazyhomer View Post
    Then I ran combofix as instructed on the "Force Commander" user which is the administrative user. Im not sure if I should do it on the "David" too since thats the account I use regularly.
    You mentioned earlier that you had two seperate installations of Windows. I wanted to make sure that you had logs for each drive, not each user

    OK, we have a problem. When Combofix tried to delete c:\windows\system32\drivers\gaopdxdltimrsv.sys (as seen in that first log), three more infected files were created.

    I'd like you to boot your PC using the Windows CD and get into the Recovery Console (Instructions). Make sure you log into the Windows installation that the first Combofix log came from.

    Navigate to the c:\windows\system32\drivers\ folder and then type del gaopd*.sys. At least three files should be deleted. When you've done that, reboot the PC into Windows and run combofix again.


    Also, what was the upshot on scanning the following files on VirusTotal?

    c:\program files\mozilla firefox\components\brwsrcmp.dll
    c:\program files\mozilla firefox\components\brwsrcmp(2).dll
    c:\program files\mozilla firefox\components\browserdirprovider.dll
    c:\program files\mozilla firefox\components\browserdirprovider(2).dll

  14. #44
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    0/38 on the 4.

    I did however manage to run a full kaspersky online scan and found 3 objects. I deleted 2 of them but then I saw one of them was my MIRC program. I scanned it with virustotal and got these results -

    Should I delete it?

    http://www.virustotal.com/analisis/4...bfbba03069280f

    Ill try the windows recovery now.

  15. #45
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Re: Leave my ••••• alone!

    Quote Originally Posted by fatlazyhomer View Post
    ... but then I saw one of them was my MIRC program. I scanned it with virustotal and got these results -

    Should I delete it?

    http://www.virustotal.com/analisis/4...bfbba03069280f
    No, so long as you know what it is then that's fine. Some AVs detect mIRC as a potential threat because many backdoor trojans are controlled by IRC and thus contain an IRC component.

    Back over to Mjölnir now

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •