Jump to content

Police Pro & Antivirus 2010

Roguepw25

By Roguepw25
in Resolved Malware Removal Logs

 Share

Recommended Posts

Roguepw25

Roguepw25

Posted
Posted

Hello I have the virus Windows Police Pro a nd AntivirusPro 2010 on my computer. I've tried installing Malwarebytes' Anti-Malware but it said that mbam-setup.exe could not be found.

So I read about all the different ways to get the program to try and work. I download the HiJack and tried to install it, but when I double clicked on it, I got the message:

Running the application is impossible. The file C:/Documents and Settings John/Destop/HJTInstall.exe is infected. Please avtivitate yhour antivirus program.

This virius is a real pain. Please help so I can get it removed. Thanks so much in advanced.

Link to post
Share on other sites
Roguepw25

Roguepw25

Posted
  • Author
Posted

Okay, here we go:

ComboFix 09-10-17.01 - John Halbert 10/18/2009 17:51.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.240 [GMT -7:00]

Running from: c:\documents and settings\John Halbert\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\JOHNHA~1\LOCALS~1\Temp\services.exe

c:\docume~1\JOHNHA~1\LOCALS~1\Temp\taskmgr.exe

c:\documents and settings\All Users.WINDOWS\Application Data\67077128

c:\documents and settings\All Users.WINDOWS\Application Data\67077128\67077128.exe

c:\documents and settings\All Users.WINDOWS\Application Data\80670324

c:\documents and settings\All Users.WINDOWS\Application Data\80670324\80670324.bat

c:\documents and settings\All Users.WINDOWS\Application Data\80670324\80670324.exe

c:\documents and settings\All Users.WINDOWS\Application Data\ivexuhezi.reg

c:\documents and settings\All Users.WINDOWS\Application Data\xurulukyh.vbs

c:\documents and settings\All Users.WINDOWS\Application Data\ymop.lib

c:\documents and settings\John Halbert\Application Data\iniasd.txt

c:\documents and settings\John Halbert\Application Data\lizkavd.exe

c:\documents and settings\John Halbert\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\John Halbert\Application Data\qanelyv.pif

c:\documents and settings\John Halbert\Application Data\seres.exe

c:\documents and settings\John Halbert\Application Data\svcst.exe

c:\documents and settings\John Halbert\Application Data\yrehuku._sy

c:\documents and settings\John Halbert\Cookies\harah.ban

c:\documents and settings\John Halbert\Cookies\kymisex.bin

c:\documents and settings\John Halbert\Cookies\otirucoci.dat

c:\documents and settings\John Halbert\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\John Halbert\Desktop\Windows Police Pro.lnk

c:\documents and settings\John Halbert\Local Settings\Application Data\azeze.bat

c:\documents and settings\John Halbert\Local Settings\Temporary Internet Files\benysuvamu.lib

c:\documents and settings\John Halbert\Local Settings\Temporary Internet Files\bojilobem.inf

c:\documents and settings\John Halbert\Local Settings\Temporary Internet Files\favicon.ico

c:\documents and settings\John Halbert\Local Settings\Temporary Internet Files\ikesuwifac.dll

c:\documents and settings\John Halbert\Local Settings\Temporary Internet Files\ixaxyjuli.sys

c:\documents and settings\John Halbert\Local Settings\Temporary Internet Files\vegas.ico

c:\documents and settings\John Halbert\Local Settings\Temporary Internet Files\yvuh._dl

c:\documents and settings\John Halbert\ntuser.dll

c:\documents and settings\John Halbert\Start Menu\Programs\Startup\scandisk.dll

c:\documents and settings\John Halbert\Start Menu\Programs\Startup\scandisk.lnk

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\program files\Common Files\ajidunoru.dll

c:\program files\Common Files\hivanor.vbs

c:\program files\Common Files\lowopa.dll

c:\program files\Common Files\uvoteqifi.bat

c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll

c:\program files\Windows Police Pro

c:\program files\Windows Police Pro\msvcm80.dll

c:\program files\Windows Police Pro\msvcp80.dll

c:\program files\Windows Police Pro\msvcr80.dll

c:\program files\Windows Police Pro\Windows Police Pro.exe

c:\recycler\S-1-5-21-1275210071-764733703-1343024091-1004

c:\recycler\S-1-5-21-2025429265-1708537768-854245398-1004

c:\windows\aceg.vbs

c:\windows\dikoca.reg

c:\windows\Installer\24f58db.msi

c:\windows\Installer\24f58f8.msi

c:\windows\okopofev.dll

c:\windows\pedifum.scr

c:\windows\svohost.exe

c:\windows\system32\_scui.cpl

c:\windows\system32\~.exe

c:\windows\system32\AVR09.exe

c:\windows\system32\calc.dll

c:\windows\system32\certstore.dat

c:\windows\system32\FInstall.sys

c:\windows\system32\fypo.inf

c:\windows\system32\gipekoji.dll

c:\windows\system32\gv1csnbotv.dll

c:\windows\system32\hinuhilu.dll

c:\windows\system32\Install.txt

c:\windows\system32\isapeep.sys

c:\windows\system32\kofohy.dl

c:\windows\system32\livoguyi.dll

c:\windows\system32\mitob.dll

c:\windows\system32\nobupize.dll

c:\windows\system32\nuar.old

c:\windows\system32\poyimimu.dll

c:\windows\system32\pump.exe

c:\windows\system32\schtml

c:\windows\system32\schtml\dbsinit.exe

c:\windows\system32\schtml\images\i1.gif

c:\windows\system32\schtml\images\i2.gif

c:\windows\system32\schtml\images\i3.gif

c:\windows\system32\schtml\images\j1.gif

c:\windows\system32\schtml\images\j2.gif

c:\windows\system32\schtml\images\j3.gif

c:\windows\system32\schtml\images\jj1.gif

c:\windows\system32\schtml\images\jj2.gif

c:\windows\system32\schtml\images\jj3.gif

c:\windows\system32\schtml\images\l1.gif

c:\windows\system32\schtml\images\l2.gif

c:\windows\system32\schtml\images\l3.gif

c:\windows\system32\schtml\images\pix.gif

c:\windows\system32\schtml\images\t1.gif

c:\windows\system32\schtml\images\t2.gif

c:\windows\system32\schtml\images\up1.gif

c:\windows\system32\schtml\images\up2.gif

c:\windows\system32\schtml\images\w1.gif

c:\windows\system32\schtml\images\w11.gif

c:\windows\system32\schtml\images\w2.gif

c:\windows\system32\schtml\images\w3.gif

c:\windows\system32\schtml\images\w3.jpg

c:\windows\system32\schtml\images\word.doc

c:\windows\system32\schtml\images\wt1.gif

c:\windows\system32\schtml\images\wt2.gif

c:\windows\system32\schtml\images\wt3.gif

c:\windows\system32\schtml\wispex.html

c:\windows\system32\skynet.dat

c:\windows\system32\ttt.exe

c:\windows\system32\tulowifi.dll

c:\windows\system32\vezurejo.dll

c:\windows\system32\winhelper.dll

c:\windows\system32\winupdate.exe

c:\windows\TEMP\mta13187.dll

c:\windows\TEMP\t4m0_737238605311.bk.old

c:\windows\TEMP\x1c63279.dll

c:\windows\uxopap.bin

c:\windows\wuhi.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_ZESOFT

-------\Service_6to4

-------\Legacy_isapeep

-------\Legacy_WDefend

-------\Service_isapeep

-------\Service_WDefend

((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))

.

2009-10-18 07:04 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-10-18 07:03 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-10-18 07:03 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-10-18 07:03 . 2009-10-18 07:05 -------- d-----w- c:\program files\Common Files\PC Tools

2009-10-18 07:03 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-10-18 07:03 . 2009-10-18 07:06 -------- d-----w- c:\program files\Spyware Doctor

2009-10-18 07:03 . 2009-10-18 07:03 -------- d-----w- c:\documents and settings\John Halbert\Application Data\PC Tools

2009-10-18 07:03 . 2009-10-18 07:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools

2009-10-18 07:02 . 2009-10-19 01:12 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2009-10-18 06:55 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-18 06:55 . 2009-10-18 10:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-18 06:55 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-18 06:29 . 2009-10-19 00:51 58 ----a-w- c:\windows\wp4.dat

2009-10-18 06:29 . 2009-10-19 00:51 3 ----a-w- c:\windows\wp3.dat

2009-10-18 06:29 . 2009-10-19 00:09 565248 ----a-w- c:\windows\system32\plugie.dll

2009-10-18 06:25 . 2009-10-18 08:46 0 ----a-w- c:\windows\Wjuwafojocet.bin

2009-10-18 06:24 . 2009-10-18 22:32 120 ----a-w- c:\windows\Tfirupoqoxev.dat

2009-10-18 06:24 . 2009-10-18 06:24 -------- d-----w- c:\documents and settings\John Halbert\Local Settings\Application Data\{E1C7FB92-ECF0-4222-9940-E29A27D740F5}

2009-10-14 23:19 . 2009-10-14 23:19 -------- d-----w- c:\documents and settings\John Halbert\Application Data\Malwarebytes

2009-10-14 23:18 . 2009-10-14 23:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2009-10-14 23:11 . 2009-10-14 23:11 19754 ----a-w- c:\windows\system32\mybe.dat

2009-10-14 13:20 . 2009-10-18 06:18 196104 ----a-w- C:\jboy.exe

2009-10-14 13:20 . 2009-10-18 06:17 52736 ----a-w- C:\nmihj.exe

2009-10-14 13:20 . 2009-10-18 06:17 247808 ----a-w- C:\lyqr.exe

2009-10-14 13:20 . 2009-10-18 06:17 79360 ----a-w- C:\bqefoh.exe

2009-10-14 13:20 . 2009-10-14 13:20 53248 ----a-w- C:\riyxlqe.exe

2009-10-14 13:20 . 2009-10-14 13:20 243200 ----a-w- C:\tfdp.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-12 05:08 . 2004-10-18 23:53 15468 -c--a-w- c:\documents and settings\John Halbert\Application Data\wklnhst.dat

2009-09-11 14:33 . 2002-08-29 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 20:45 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 07:36 . 2004-12-08 00:37 832512 ----a-w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2002-08-29 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-08-26 08:16 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-05 09:11 . 2004-07-13 18:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 14:00 . 2002-08-29 12:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 13:13 . 2002-08-29 01:04 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-07-18 22:33 . 2009-07-18 22:33 1114043 --sha-w- c:\windows\system32\kolojebe.exe

2009-07-18 06:26 . 2009-07-18 06:26 1079842 --sha-w- c:\windows\system32\petonuho.exe

2009-07-18 06:26 . 2009-07-18 06:26 1114665 --sha-w- c:\windows\system32\sehuwuri.exe

2009-07-18 06:26 . 2009-07-18 06:26 24576 --sha-w- c:\windows\system32\sezerabo.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-11-26 180269]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"HostManager"="c:\program files\Common Files\AOL\1180668802\ee\AOLSoftware.exe" [2006-09-26 50736]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]

"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-02-24 163840]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-3 113664]

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-10-22 156784]

AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2004-10-22 250992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli uiepus.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1180668802\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/18/2009 12:03 AM 206256]

R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/29/2002 5:00 AM 14336]

R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/29/2002 5:00 AM 94720]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/18/2009 12:03 AM 348752]

R3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\drivers\TNET1130x.sys [7/27/2005 4:39 PM 385536]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

BtwSrv

.

Contents of the 'Scheduled Tasks' folder

2009-05-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{64a2ad5d-6c8b-4f97-9296-5134b2231935} - nobupize.dll

BHO-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\gv1csnbotv.dll

HKCU-Run-inixs - c:\windows\system32\minix32.exe

HKLM-Run-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll

HKLM-Run-URLLSTCK.exe - c:\program files\Norton Internet Security\UrlLstCk.exe

HKLM-Run-Tsl - c:\progra~1\COMMON~1\tsa\tsl.exe

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

HKLM-Run-Hlazegacudez - c:\windows\okopofev.dll

HKLM-Run-80670324 - c:\documents and settings\All Users.WINDOWS\Application Data\80670324\80670324.exe

HKLM-Run-fagedezud - c:\windows\system32\gipekoji.dll

HKLM-Run-67077128 - c:\docume~1\ALLUSE~1.WIN\APPLIC~1\67077128\67077128.exe

HKLM-Run-mulokisugu - hinuhilu.dll

SharedTaskScheduler-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\gv1csnbotv.dll

SharedTaskScheduler-{5012a22d-b2a9-4fb0-bbd3-06d4e7181c39} - c:\windows\system32\kodesalo.dll

SharedTaskScheduler-{aa9e3885-e541-4602-b47b-a403e2122097} - c:\windows\system32\gipekoji.dll

SSODL-filulusum-{5012a22d-b2a9-4fb0-bbd3-06d4e7181c39} - c:\windows\system32\kodesalo.dll

SSODL-vafimeler-{aa9e3885-e541-4602-b47b-a403e2122097} - c:\windows\system32\gipekoji.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-18 18:10

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(720)

c:\windows\uiepus.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(160)

c:\windows\system32\WININET.dll

c:\program files\Spyware Doctor\pctgmhk.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\uiepus.dll

c:\program files\Bonjour\mdnsNSP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Spyware Doctor\pctsSvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\wanmpsvc.exe

c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe

c:\combofix\CF1524.exe

c:\program files\Pure Networks\Port Magic\PortAOL.exe

c:\program files\Common Files\AOL\1180668802\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wmdtc.exe

c:\program files\Java\jre1.6.0_02\bin\jucheck.exe

c:\windows\system32\lsm32.sys

.

**************************************************************************

.

Completion time: 2009-10-19 18:25 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-19 01:25

Pre-Run: 231,170,048 bytes free

Post-Run: 274,452,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

323 --- E O F --- 2009-10-16 10:37

Link to post
Share on other sites
Rosty

Rosty

Posted
Posted

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\Wjuwafojocet.bin

c:\windows\Tfirupoqoxev.dat

C:\jboy.exe

C:\nmihj.exe

C:\lyqr.exe

C:\bqefoh.exe

C:\riyxlqe.exe

C:\tfdp.exe

c:\windows\system32\plugie.dll

c:\windows\wp4.dat

c:\windows\wp3.dat

c:\windows\system32\kolojebe.exe

c:\windows\system32\petonuho.exe

c:\windows\system32\sehuwuri.exe

c:\windows\system32\sezerabo.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Link to post
Share on other sites
  • 2 weeks later...
Roguepw25

Roguepw25

Posted
  • Author
Posted

Did this. Here are the logs:

ComboFix:

ComboFix 09-11-01.04 - John Halbert 11/02/2009 18:38.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.247 [GMT -8:00]

Running from: c:\documents and settings\John Halbert\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\John Halbert\Desktop\CFScript.txt

FILE ::

"C:\bqefoh.exe"

"C:\jboy.exe"

"C:\lyqr.exe"

"C:\nmihj.exe"

"C:\riyxlqe.exe"

"C:\tfdp.exe"

"c:\windows\system32\kolojebe.exe"

"c:\windows\system32\petonuho.exe"

"c:\windows\system32\plugie.dll"

"c:\windows\system32\sehuwuri.exe"

"c:\windows\system32\sezerabo.exe"

"c:\windows\Tfirupoqoxev.dat"

"c:\windows\Wjuwafojocet.bin"

"c:\windows\wp3.dat"

"c:\windows\wp4.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\bqefoh.exe

C:\jboy.exe

C:\lyqr.exe

C:\nmihj.exe

C:\riyxlqe.exe

C:\tfdp.exe

c:\windows\Install.txt

c:\windows\olicaxozabocu.dll

c:\windows\system32\FInstall.sys

c:\windows\system32\Install.txt

c:\windows\system32\kolojebe.exe

c:\windows\system32\petonuho.exe

c:\windows\system32\plugie.dll

c:\windows\system32\sehuwuri.exe

c:\windows\system32\sezerabo.exe

c:\windows\TEMP\mta13187.dll

c:\windows\TEMP\t4m0_328725575377.bk.old

c:\windows\TEMP\x1c71544.dll

c:\windows\Tfirupoqoxev.dat

c:\windows\Wjuwafojocet.bin

c:\windows\wp3.dat

c:\windows\wp4.dat

.

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))

.

2009-10-30 10:44 . 2009-10-30 10:44 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Viewpoint

2009-10-27 09:27 . 2009-10-27 09:27 9977 ----a-w- c:\windows\ifuwokojegigudud.dll

2009-10-27 07:25 . 2009-10-27 07:25 9975 ----a-w- c:\windows\agimevedeco.dll

2009-10-27 05:23 . 2009-10-27 05:23 9954 ----a-w- c:\windows\uniqopacajuhiqi.dll

2009-10-27 03:21 . 2009-10-27 03:21 9972 ----a-w- c:\windows\ecujafecufi.dll

2009-10-25 07:20 . 2009-10-25 07:20 -------- d-----w- c:\windows\Sun

2009-10-22 08:28 . 2009-10-22 08:28 -------- d-----w- c:\documents and settings\John Halbert\Local Settings\Application Data\{E1C7FB92-ECF0-4222-9940-E29A27D740F5}

2009-10-18 07:02 . 2009-10-19 01:46 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2009-10-18 06:55 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-18 06:55 . 2009-10-18 10:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-18 06:55 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-14 23:19 . 2009-10-14 23:19 -------- d-----w- c:\documents and settings\John Halbert\Application Data\Malwarebytes

2009-10-14 23:18 . 2009-10-14 23:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2009-10-14 23:11 . 2009-10-14 23:11 19754 ----a-w- c:\windows\system32\mybe.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-29 09:35 . 2004-10-18 23:53 15608 -c--a-w- c:\documents and settings\John Halbert\Application Data\wklnhst.dat

2009-09-11 14:33 . 2002-08-29 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 20:45 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 07:36 . 2004-12-08 00:37 832512 ------w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2002-08-29 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-08-26 08:16 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-07 02:24 . 2004-10-30 19:08 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 02:24 . 2004-10-30 19:08 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 02:24 . 2004-10-30 19:08 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 02:24 . 2004-07-13 16:52 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-07 02:24 . 2002-08-29 12:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 02:23 . 2004-10-30 19:08 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 02:23 . 2004-07-13 16:52 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:11 . 2004-07-13 18:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-10-19_01.11.47 )))))))))))))))))))))))))))))))))))))))))

.

+ 2002-08-29 12:00 . 2002-08-29 12:00 87552 c:\windows\system32\wmdtc.exe

+ 2009-10-21 09:18 . 2009-08-07 02:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll

+ 2009-10-21 09:18 . 2009-08-07 02:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll

+ 2002-08-29 12:00 . 2009-11-02 06:24 40394 c:\windows\system32\perfc009.dat

- 2002-08-29 12:00 . 2009-05-13 10:34 40394 c:\windows\system32\perfc009.dat

+ 2002-08-29 12:00 . 2002-08-29 12:00 87552 c:\windows\system32\opeia.exe

+ 2002-08-29 12:00 . 2002-08-29 12:00 61440 c:\windows\system32\lsm32.sys

+ 2002-08-29 12:00 . 2002-08-29 12:00 48128 c:\windows\system32\FastNetSrv.exe

+ 2004-10-30 19:08 . 2009-08-07 02:24 35552 c:\windows\system32\dllcache\wups.dll

+ 2004-07-13 16:52 . 2009-08-07 02:24 53472 c:\windows\system32\dllcache\wuauclt.exe

+ 2002-08-29 12:00 . 2009-08-07 02:24 96480 c:\windows\system32\dllcache\cdm.dll

+ 2004-07-13 17:00 . 2009-11-03 02:38 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2004-07-13 17:00 . 2009-10-19 00:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-10-20 00:04 . 2009-10-20 00:04 78924 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat

+ 2009-10-20 00:04 . 2009-10-20 00:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009101920091020\index.dat

+ 2004-07-13 17:00 . 2009-11-03 02:38 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2004-07-13 17:00 . 2009-10-19 00:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-10-20 00:04 . 2009-11-03 02:38 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2002-08-29 12:00 . 2009-11-02 06:24 312172 c:\windows\system32\perfh009.dat

- 2002-08-29 12:00 . 2009-05-13 10:34 312172 c:\windows\system32\perfh009.dat

+ 2004-10-30 19:08 . 2009-08-07 02:24 209632 c:\windows\system32\dllcache\wuweb.dll

+ 2004-10-30 19:08 . 2009-08-07 02:24 327896 c:\windows\system32\dllcache\wucltui.dll

+ 2004-10-30 19:08 . 2009-08-07 02:23 575704 c:\windows\system32\dllcache\wuapi.dll

+ 2009-11-03 02:51 . 2009-08-29 07:36 1168384 c:\windows\temp\x1c120396.dll

+ 2004-07-13 16:52 . 2009-08-07 02:23 1929952 c:\windows\system32\dllcache\wuaueng.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-11-26 180269]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"HostManager"="c:\program files\Common Files\AOL\1180668802\ee\AOLSoftware.exe" [2006-09-26 50736]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"Hlazegacudez"="c:\windows\olicaxozabocu.dll" [bU]

"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-02-24 163840]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-3 113664]

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-10-22 156784]

AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2004-10-22 250992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli uiepus.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1180668802\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/29/2002 4:00 AM 14336]

R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/29/2002 4:00 AM 48128]

R3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\drivers\TNET1130x.sys [7/27/2005 3:39 PM 385536]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV

*NewlyCreated* - MBR

*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

BtwSrv

.

Contents of the 'Scheduled Tasks' folder

2009-05-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-02 18:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\Install.txt 264 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(712)

c:\windows\uiepus.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3196)

c:\windows\system32\WININET.dll

c:\program files\Common Files\AOL\ACS\WLHook.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\uiepus.dll

c:\program files\Bonjour\mdnsNSP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\wanmpsvc.exe

c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe

c:\windows\system32\wmdtc.exe

c:\windows\system32\wscntfy.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Java\jre1.6.0_02\bin\jucheck.exe

c:\windows\system32\lsm32.sys

.

**************************************************************************

.

Completion time: 2009-11-03 19:03 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-03 03:02

ComboFix2.txt 2009-10-19 01:25

Pre-Run: 439,099,392 bytes free

Post-Run: 646,619,136 bytes free

- - End Of File - - A3DCA2B2E9F0509E9F7AA44DF387FE88

Hi JackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:10:12 PM, on 11/2/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\wmdtc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\FastNetSrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\AOL\1180668802\ee\AOLSoftware.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

C:\Program Files\AOL Companion\companion.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\iPod\bin\iPodService.exe

c:\program files\common files\aol\1180668802\ee\aolsoftware.exe

C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\lsm32.sys

C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1180668802\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Hlazegacudez] rundll32.exe "C:\WINDOWS\olicaxozabocu.dll",Startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6844 bytes

Link to post
Share on other sites
Rosty

Rosty

Posted
Posted

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\ifuwokojegigudud.dll

c:\windows\agimevedeco.dll

c:\windows\uniqopacajuhiqi.dll

c:\windows\ecujafecufi.dll

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Hlazegacudez"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Link to post
Share on other sites
Roguepw25

Roguepw25

Posted
  • Author
Posted

Combo Fix Report:

ComboFix 09-11-03.01 - John Halbert 11/03/2009 22:47.3.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.251 [GMT -8:00]

Running from: c:\documents and settings\John Halbert\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\John Halbert\Desktop\CFScript.txt

FILE ::

"c:\windows\agimevedeco.dll"

"c:\windows\ecujafecufi.dll"

"c:\windows\ifuwokojegigudud.dll"

"c:\windows\uniqopacajuhiqi.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\agimevedeco.dll

c:\windows\ecujafecufi.dll

c:\windows\ifuwokojegigudud.dll

c:\windows\system32\Install.txt

c:\windows\TEMP\mta13187.dll

c:\windows\uniqopacajuhiqi.dll

.

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))

.

2009-11-03 03:08 . 2009-11-03 03:08 396288 ----a-w- C:\HijackThis.exe

2009-10-30 10:44 . 2009-10-30 10:44 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Viewpoint

2009-10-25 07:20 . 2009-10-25 07:20 -------- d-----w- c:\windows\Sun

2009-10-22 08:28 . 2009-10-22 08:28 -------- d-----w- c:\documents and settings\John Halbert\Local Settings\Application Data\{E1C7FB92-ECF0-4222-9940-E29A27D740F5}

2009-10-18 07:02 . 2009-10-19 01:46 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2009-10-18 06:55 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-18 06:55 . 2009-10-18 10:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-18 06:55 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-14 23:19 . 2009-10-14 23:19 -------- d-----w- c:\documents and settings\John Halbert\Application Data\Malwarebytes

2009-10-14 23:18 . 2009-10-14 23:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2009-10-14 23:11 . 2009-10-14 23:11 19754 ----a-w- c:\windows\system32\mybe.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-29 09:35 . 2004-10-18 23:53 15608 -c--a-w- c:\documents and settings\John Halbert\Application Data\wklnhst.dat

2009-09-11 14:33 . 2002-08-29 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 20:45 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 07:36 . 2004-12-08 00:37 832512 ------w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2002-08-29 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-08-26 08:16 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-07 02:24 . 2004-10-30 19:08 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 02:24 . 2004-10-30 19:08 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 02:24 . 2004-10-30 19:08 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 02:24 . 2004-07-13 16:52 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-07 02:24 . 2002-08-29 12:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 02:23 . 2004-10-30 19:08 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 02:23 . 2004-07-13 16:52 1929952 ----a-w- c:\windows\system32\wuaueng.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-10-19_01.11.47 )))))))))))))))))))))))))))))))))))))))))

.

+ 2002-08-29 12:00 . 2002-08-29 12:00 87552 c:\windows\system32\wmdtc.exe

+ 2009-10-21 09:18 . 2009-08-07 02:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll

+ 2009-10-21 09:18 . 2009-08-07 02:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll

+ 2002-08-29 12:00 . 2009-11-02 06:24 40394 c:\windows\system32\perfc009.dat

- 2002-08-29 12:00 . 2009-05-13 10:34 40394 c:\windows\system32\perfc009.dat

+ 2002-08-29 12:00 . 2002-08-29 12:00 87552 c:\windows\system32\opeia.exe

+ 2002-08-29 12:00 . 2002-08-29 12:00 61440 c:\windows\system32\lsm32.sys

+ 2002-08-29 12:00 . 2002-08-29 12:00 48128 c:\windows\system32\FastNetSrv.exe

+ 2004-10-30 19:08 . 2009-08-07 02:24 35552 c:\windows\system32\dllcache\wups.dll

+ 2004-07-13 16:52 . 2009-08-07 02:24 53472 c:\windows\system32\dllcache\wuauclt.exe

+ 2002-08-29 12:00 . 2009-08-07 02:24 96480 c:\windows\system32\dllcache\cdm.dll

+ 2004-07-13 17:00 . 2009-11-04 03:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2004-07-13 17:00 . 2009-10-19 00:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-10-20 00:04 . 2009-10-20 00:04 78924 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat

+ 2009-10-20 00:04 . 2009-10-20 00:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009101920091020\index.dat

+ 2004-07-13 17:00 . 2009-11-04 03:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2004-07-13 17:00 . 2009-10-19 00:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-11-04 01:30 . 2009-11-04 03:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2004-07-13 17:00 . 2009-10-19 00:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2002-08-29 12:00 . 2009-11-02 06:24 312172 c:\windows\system32\perfh009.dat

- 2002-08-29 12:00 . 2009-05-13 10:34 312172 c:\windows\system32\perfh009.dat

+ 2004-10-30 19:08 . 2009-08-07 02:24 209632 c:\windows\system32\dllcache\wuweb.dll

+ 2004-10-30 19:08 . 2009-08-07 02:24 327896 c:\windows\system32\dllcache\wucltui.dll

+ 2004-10-30 19:08 . 2009-08-07 02:23 575704 c:\windows\system32\dllcache\wuapi.dll

+ 2009-11-04 07:00 . 2009-08-29 07:36 1168384 c:\windows\temp\x1c27713.dll

+ 2004-07-13 16:52 . 2009-08-07 02:23 1929952 c:\windows\system32\dllcache\wuaueng.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-11-26 180269]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"HostManager"="c:\program files\Common Files\AOL\1180668802\ee\AOLSoftware.exe" [2006-09-26 50736]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-02-24 163840]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-3 113664]

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-10-22 156784]

AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2004-10-22 250992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli uiepus.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1180668802\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/29/2002 4:00 AM 14336]

R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/29/2002 4:00 AM 47616]

R3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\drivers\TNET1130x.sys [7/27/2005 3:39 PM 385536]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV

*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

BtwSrv

.

Contents of the 'Scheduled Tasks' folder

2009-05-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-03 22:58

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(708)

c:\windows\uiepus.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2648)

c:\windows\system32\WININET.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\uiepus.dll

c:\program files\Bonjour\mdnsNSP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\wanmpsvc.exe

c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe

c:\windows\system32\wscntfy.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wmdtc.exe

c:\program files\common files\aol\1180668802\ee\anotify.exe

c:\program files\Java\jre1.6.0_02\bin\jucheck.exe

c:\windows\system32\lsm32.sys

.

**************************************************************************

.

Completion time: 2009-11-04 23:09 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-04 07:09

ComboFix2.txt 2009-11-03 03:03

ComboFix3.txt 2009-10-19 01:25

Pre-Run: 845,381,632 bytes free

Post-Run: 864,489,472 bytes free

HiJack Report:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:11:37 PM, on 11/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\AOL\1180668802\ee\AOLSoftware.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AOL Companion\companion.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wmdtc.exe

c:\program files\common files\aol\1180668802\ee\aolsoftware.exe

C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\FastNetSrv.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\lsm32.sys

C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1180668802\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6716 bytes

Link to post
Share on other sites
Rosty

Rosty

Posted
Posted

Hi,

open HijackThis, click do a scan only and place a check next to the following entrie:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Close all other windows and browsers, except HijackThis, and click Fix Checked. Close HijackThis.

Reboot and post a new Hijackthis log. Let me know how things are running.

Link to post
Share on other sites
Roguepw25

Roguepw25

Posted
  • Author
Posted

Here's the new hijack log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:04:55 PM, on 11/11/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\FastNetSrv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\AOL\1180668802\ee\AOLSoftware.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AOL Companion\companion.exe

C:\Program Files\iPod\bin\iPodService.exe

c:\program files\common files\aol\1180668802\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\program files\common files\aol\1180668802\ee\aolsoftware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\HiJackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1180668802\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Hlazegacudez] rundll32.exe "C:\WINDOWS\asinewoh.dll",Startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6766 bytes

Link to post
Share on other sites
Rosty

Rosty

Posted
Posted

Hi,

I overlooked a line in your log!! :)

Please open HijackThis, and select Open the Misc Tools section.

Select Delete an NT service.

Copy and paste the following into the box that pops up:

fastnetsrv Service

Click OK.

Next,

open HijackThis, click do a scan only and place a check next to the following entries:

O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe

Close all other windows and browsers, except HijackThis, and click Fix Checked. Close HijackThis.

It is also important to keep your Java updated as there is the possibility that some malware uses out of date Java installs to infect pc's. Test if your version is the latest here.

Updating Java:

[*]Download the latest version of Java Runtime Environment (JRE) 6 update 17 .

[*]Scroll down to where it says "Java Runtime Environment (JRE) 6 update 1

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.