Jump to content

ran multiple Mbytes scans


ScottZ

Recommended Posts

had to change the name of malware bytes under program files did some quick and some full scans some of the infections don't get removed plus I cannot change my desktop background when I go to properties how I would normally do it. There are only 2 tabs now taskbar and start menu so I can't customize it. I did a quick scan twice and these didn't get deleted.

\\?\globalroot\systemroot\system32

Rootkit.TDSS- Hkey_LOCAL_MACHINE\SOFTWARE\H8S

here's the malware bytes log and I attached the other 3 confused if I should attach them all,or what should be pasted here(?)so hopefully this is ok.

Malwarebytes' Anti-Malware 1.42

Database version: 3414

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

12/22/2009 11:45:52 PM

mbam-log-2009-12-22 (23-45-52).txt

Scan type: Full Scan (C:\|)

Objects scanned: 207518

Time elapsed: 42 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 34

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\H8SRTftifuemlei.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malwarebytes anti-malware (reboot) (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\H8SRTftifuemlei.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\32788R22FWJFW\Combo-Fix.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\32788R22FWJFW.0.tmp\Combo-Fix.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\12124313\12124313.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\91215725\91215725.exe.vir (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\betipafe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\birayeki.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ferazolu.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\jabavono.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\jayoriji.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\jeharaya.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\kenoriro.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\kokemabo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\lakutufo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\lalumojo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\lawariko.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\lokadodu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\nizefipu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\patayaru.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\putirise.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\raromozo.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\sawafena.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\siyaturi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tevisiko.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tomiyegi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\update3351531.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\update3351593.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\update3351671.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\userini.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wewidilu.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wogirubi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\xa.tmp.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\zimizapa.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\Malwarebytes' Anti-Malware\winlogon.exe.exe (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

alright updated and did quick scan says it's clean,but there are still problems going to properties to change my desktop that tab isn't there how can I repair this? Here's the quick scan log

Malwarebytes' Anti-Malware 1.42

Database version: 3449

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

12/29/2009 1:31:18 AM

mbam-log-2009-12-29 (01-31-18).txt

Scan type: Quick Scan

Objects scanned: 106141

Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ok here's both of the logs

ComboFix 09-12-29.05 - Ziehos 12/30/2009 7:26.10.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.321 [GMT -6:00]

Running from: c:\documents and settings\Ziehos\Desktop\combofix.exe.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\init32.exe

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))

.

2009-12-29 08:55 . 2009-12-29 08:56 -------- d-----w- c:\program files\eMedia Intermediate Piano and Keyboard Method

2009-12-24 04:25 . 2009-12-24 04:25 -------- d-----w- C:\safelinecell

2009-12-24 00:53 . 2009-12-24 00:56 -------- d-----w- C:\askkicker2.exe

2009-12-24 00:33 . 2009-12-24 00:46 -------- d-----w- C:\frequencyemulations

2009-12-23 11:28 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-23 11:28 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-23 03:35 . 2009-12-23 03:35 -------- d-----w- C:\rsit

2009-12-22 13:47 . 2009-12-22 13:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-12-21 09:30 . 2009-12-21 09:30 -------- d-sh--w- c:\documents and settings\Ziehos\PrivacIE

2009-12-20 22:29 . 2009-12-20 22:35 -------- d-----w- C:\FFX midis

2009-12-19 12:31 . 2009-12-19 12:31 -------- d-----w- c:\program files\Media Player Classic

2009-12-19 11:46 . 2009-12-19 17:06 -------- d-----w- C:\zelda midis

2009-12-19 04:56 . 2009-12-19 04:57 -------- dc-h--w- c:\windows\ie8

2009-12-18 07:08 . 2009-12-18 07:11 -------- d-----w- c:\documents and settings\Ziehos\Application Data\Player

2009-12-18 07:08 . 2009-12-23 03:08 -------- d-----w- c:\program files\Player

2009-12-18 05:10 . 2009-12-18 05:11 -------- d-----w- C:\battletoads midi

2009-12-17 19:02 . 2009-12-18 05:52 -------- d-----w- C:\FFIXmidis

2009-12-08 09:00 . 2009-12-19 09:03 -------- d-----w- c:\windows\ie8updates

2009-12-07 20:27 . 2009-12-07 20:27 -------- d-sh--w- c:\documents and settings\Ziehos\IETldCache

2009-12-07 16:36 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-12-07 16:36 . 2009-10-29 07:45 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2009-12-07 16:36 . 2009-10-29 07:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-12-07 16:36 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-12-07 16:36 . 2009-10-29 07:45 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-12-07 16:36 . 2009-10-29 07:45 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-30 13:35 . 2009-01-20 22:38 -------- d-----w- c:\documents and settings\Ziehos\Application Data\mjusbsp

2009-12-30 13:20 . 2008-04-18 21:28 -------- d-----w- c:\documents and settings\Ziehos\Application Data\uTorrent

2009-12-30 01:17 . 2009-10-17 08:37 -------- d-----w- c:\documents and settings\Ziehos\Application Data\vlc

2009-12-29 07:23 . 2009-05-03 07:22 -------- d-----w- c:\program files\PeerGuardian2

2009-12-25 17:25 . 2008-10-22 07:52 -------- d-----w- c:\documents and settings\Ziehos\Application Data\Move Networks

2009-12-25 17:05 . 2009-08-18 20:11 143976 ----a-w- c:\documents and settings\Ziehos\Application Data\Move Networks\uninstall.exe

2009-12-25 17:05 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Ziehos\Application Data\Move Networks\plugins\npqmp071701000002.dll

2009-12-25 17:05 . 2009-12-25 17:05 1794456 ----a-w- c:\documents and settings\Ziehos\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe

2009-12-25 09:25 . 2007-02-21 23:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-12-23 12:17 . 2009-05-01 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-23 05:56 . 2008-09-14 12:57 -------- d-----w- c:\program files\CCleaner

2009-12-02 20:43 . 2009-10-24 07:25 -------- d-----w- c:\documents and settings\Ziehos\Application Data\dvdcss

2009-11-29 22:08 . 2009-11-29 22:08 -------- d-----w- c:\program files\CyberFOX Software

2009-11-20 22:32 . 2003-03-31 12:00 1032192 ------w- c:\windows\explorer.exe

2009-11-14 00:54 . 2009-11-14 00:54 -------- d-----w- c:\documents and settings\Ziehos\Application Data\Audacity

2009-11-14 00:54 . 2009-10-25 10:52 16 ----a-w- c:\windows\msocreg32.dat

2009-11-14 00:52 . 2009-11-14 00:52 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

2009-10-29 07:45 . 2006-02-24 19:26 916480 ------w- c:\windows\system32\wininet.dll

2009-10-22 23:19 . 2009-10-19 21:21 1952342 ----a-w- c:\windows\setup2.exe

2009-10-21 06:00 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-16 16:09 . 2009-03-12 21:50 117760 ----a-w- c:\documents and settings\Ziehos\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Ziehos\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

2009-10-13 10:53 . 2006-05-14 09:13 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2003-03-31 12:00 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2003-03-31 12:00 112128 ----a-w- c:\windows\system32\rastls.dll

2004-08-04 07:56 . 2003-03-31 12:00 1228800 --sh--r- c:\windows\system32\wgacrack.exe

2009-02-01 00:42 . 2009-02-01 00:42 69120 --sha-w- c:\windows\system32\zafufovi.dll.tmp

2009-02-01 00:42 . 2009-02-01 00:42 69120 --sha-w- c:\windows\system32\zifutoro.dll.tmp

2009-02-01 00:42 . 2009-02-01 00:42 69120 --sha-w- c:\windows\system32\ziluyuda.dll.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db803b95-1dc3-453f-a147-c1d6fc488de3}]

sawafena.dll [bU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Ziehos\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]

"nwiz"="nwiz.exe" [2006-10-22 1622016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 22:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hawking Wireless Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hawking Wireless Utility.lnk

backup=c:\windows\pss\Hawking Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk

backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2008-04-01 09:39 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]

1998-12-01 00:04 497376 ----a-w- c:\windows\p_981116.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-10-30 15:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]

2008-08-14 22:11 565008 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2008-08-14 22:15 2407184 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2003-07-13 08:49 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2008-03-14 23:50 233472 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2008-08-12 23:19 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-11-15 10:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-01-26 21:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2007-01-27 21:42 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Common Files\\System\\WGAcrack.exe"=

"c:\\Program Files\\Neuro-Programmer 2 Professional\\Neuro-Programmer 2.exe"=

"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=

"c:\\Program Files\\Common Files\\LogiShrd\\LVCOMSER\\LVComSer.exe"=

"c:\\Documents and Settings\\Ziehos\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5060:UDP"= 5060:UDP:magicjack

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8/9/2005 5:52 PM 75904]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]

S0 mwcst;mwcst;c:\windows\system32\drivers\lvuti.sys --> c:\windows\system32\drivers\lvuti.sys [?]

S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [11/29/2008 4:12 PM 33168]

S3 kbeepm;kbeepm; [x]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [6/21/2007 12:20 AM 7548]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

S3 ZD1211U(Hawking Technologies);HWL2 WiFi Locator Professional Edition(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [4/16/2006 5:58 PM 274944]

S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [4/16/2006 5:58 PM 19200]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/7/2007 6:16 PM 717296]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Ahyegpry

EsauZxyanod

.

Contents of the 'Scheduled Tasks' folder

2009-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-12-30 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: &Search - ?p=ZNfox000

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download web site with Free Download Manager - file://c:\program files\Free Download Manager\dlpage.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab

FF - ProfilePath - c:\documents and settings\Ziehos\Application Data\Mozilla\Firefox\Profiles\z1c93oeu.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - plugin: c:\documents and settings\Ziehos\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\Ziehos\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: XUL Cache: {2F78DA98-0254-4257-A99B-BCED53DFCB9E} - c:\documents and settings\Ziehos\Local Settings\Application Data\{2F78DA98-0254-4257-A99B-BCED53DFCB9E}\

.

.

------- File Associations -------

.

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-30 07:35

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\System32\NavLogon.dll

- - - - - - - > 'explorer.exe'(7784)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\ewido anti-spyware 4.0\guard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\documents and settings\Ziehos\Application Data\mjusbsp\magicJack.exe

.

**************************************************************************

.

Completion time: 2009-12-30 07:43:34 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-30 13:43

ComboFix2.txt 2009-12-24 01:33

ComboFix3.txt 2009-11-23 12:07

ComboFix4.txt 2009-10-30 02:22

ComboFix5.txt 2009-12-30 13:25

Pre-Run: 1,319,153,664 bytes free

Post-Run: 1,256,640,512 bytes free

- - End Of File - - F20787E162785B29AC7BE496C2B5DB82

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:46:31, on 12/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Documents and Settings\Ziehos\Application Data\mjusbsp\magicJack.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

  • Staff

Hi,

Are you familiar with these folders?

C:\safelinecell

C:\askkicker2.exe

C:\frequencyemulations

Are you running a cracked version of Windows?

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=34372
Driver::
kbeepm
samhid
hid8101
mwcst
KILLALL::
Dirlook::
C:\safelinecell
C:\askkicker2.exe
C:\frequencyemulations
Collect::
c:\windows\system32\drivers\hid8101.sys
c:\windows\system32\drivers\Samhid.sys
c:\windows\system32\drivers\lvuti.sys
c:\windows\system32\wgacrack.exe
c:\windows\system32\zafufovi.dll.tmp
c:\windows\system32\zifutoro.dll.tmp
c:\windows\system32\ziluyuda.dll.tmp
c:\windows\setup2.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db803b95-1dc3-453f-a147-c1d6fc488de3}]

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

-screen317

Link to post
Share on other sites

yes familiar with all of those 1st and 3rd are user created folders one with text and the other audio files. The 2nd one is actually combofix forgot to add that I changed the name so it would run it wouldn't run as combofixe.exe just like malware bytes used to not run they work fine now though as their original names. No I'm not running a cracked version of windows. I followed those instructions to the letter I dragged CFscript.txt onto the latest combofix.exe and that second message box you said would come up didn't I don't know why? Anyway here's the log that it did come up with

ComboFix 09-12-31.A1 - Ziehos 01/01/2010 12:18:43.11.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.198 [GMT -6:00]

Running from: c:\documents and settings\Ziehos\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ziehos\Desktop\CFscript.txt.txt

file zipped: c:\windows\setup2.exe

file zipped: c:\windows\system32\drivers\hid8101.sys

file zipped: c:\windows\system32\drivers\Samhid.sys

file zipped: c:\windows\system32\wgacrack.exe

file zipped: c:\windows\system32\zafufovi.dll.tmp

file zipped: c:\windows\system32\zifutoro.dll.tmp

file zipped: c:\windows\system32\ziluyuda.dll.tmp

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\setup2.exe

c:\windows\system32\drivers\hid8101.sys

c:\windows\system32\drivers\Samhid.sys

c:\windows\system32\wgacrack.exe

c:\windows\system32\zafufovi.dll.tmp

c:\windows\system32\zifutoro.dll.tmp

c:\windows\system32\ziluyuda.dll.tmp

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_KBEEPM

-------\Service_hid8101

-------\Service_kbeepm

-------\Service_mwcst

-------\Service_samhid

((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))

.

2009-12-29 08:55 . 2009-12-29 08:56 -------- d-----w- c:\program files\eMedia Intermediate Piano and Keyboard Method

2009-12-24 04:25 . 2009-12-24 04:25 -------- d-----w- C:\safelinecell

2009-12-24 00:53 . 2009-12-24 00:56 -------- d-----w- C:\askkicker2.exe

2009-12-24 00:33 . 2009-12-24 00:46 -------- d-----w- C:\frequencyemulations

2009-12-23 11:28 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-23 11:28 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-23 03:35 . 2009-12-23 03:35 -------- d-----w- C:\rsit

2009-12-22 13:47 . 2009-12-22 13:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-12-21 09:30 . 2009-12-21 09:30 -------- d-sh--w- c:\documents and settings\Ziehos\PrivacIE

2009-12-20 22:29 . 2009-12-20 22:35 -------- d-----w- C:\FFX midis

2009-12-19 12:31 . 2009-12-19 12:31 -------- d-----w- c:\program files\Media Player Classic

2009-12-19 11:46 . 2009-12-19 17:06 -------- d-----w- C:\zelda midis

2009-12-19 04:56 . 2009-12-19 04:57 -------- dc-h--w- c:\windows\ie8

2009-12-18 07:08 . 2009-12-18 07:11 -------- d-----w- c:\documents and settings\Ziehos\Application Data\Player

2009-12-18 07:08 . 2009-12-23 03:08 -------- d-----w- c:\program files\Player

2009-12-18 05:10 . 2009-12-18 05:11 -------- d-----w- C:\battletoads midi

2009-12-17 19:02 . 2009-12-18 05:52 -------- d-----w- C:\FFIXmidis

2009-12-08 09:00 . 2009-12-19 09:03 -------- d-----w- c:\windows\ie8updates

2009-12-07 20:27 . 2009-12-07 20:27 -------- d-sh--w- c:\documents and settings\Ziehos\IETldCache

2009-12-07 16:36 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-12-07 16:36 . 2009-10-29 07:45 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2009-12-07 16:36 . 2009-10-29 07:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-12-07 16:36 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-12-07 16:36 . 2009-10-29 07:45 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-12-07 16:36 . 2009-10-29 07:45 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-01 18:27 . 2009-01-20 22:38 -------- d-----w- c:\documents and settings\Ziehos\Application Data\mjusbsp

2010-01-01 18:12 . 2009-10-17 08:37 -------- d-----w- c:\documents and settings\Ziehos\Application Data\vlc

2009-12-31 20:42 . 2008-04-18 21:28 -------- d-----w- c:\documents and settings\Ziehos\Application Data\uTorrent

2009-12-29 07:23 . 2009-05-03 07:22 -------- d-----w- c:\program files\PeerGuardian2

2009-12-25 17:25 . 2008-10-22 07:52 -------- d-----w- c:\documents and settings\Ziehos\Application Data\Move Networks

2009-12-25 17:05 . 2009-08-18 20:11 143976 ----a-w- c:\documents and settings\Ziehos\Application Data\Move Networks\uninstall.exe

2009-12-25 17:05 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Ziehos\Application Data\Move Networks\plugins\npqmp071701000002.dll

2009-12-25 17:05 . 2009-12-25 17:05 1794456 ----a-w- c:\documents and settings\Ziehos\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe

2009-12-25 09:25 . 2007-02-21 23:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-12-23 12:17 . 2009-05-01 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-23 05:56 . 2008-09-14 12:57 -------- d-----w- c:\program files\CCleaner

2009-12-02 20:43 . 2009-10-24 07:25 -------- d-----w- c:\documents and settings\Ziehos\Application Data\dvdcss

2009-11-29 22:08 . 2009-11-29 22:08 -------- d-----w- c:\program files\CyberFOX Software

2009-11-20 22:32 . 2003-03-31 12:00 1032192 ------w- c:\windows\explorer.exe

2009-11-14 00:54 . 2009-11-14 00:54 -------- d-----w- c:\documents and settings\Ziehos\Application Data\Audacity

2009-11-14 00:54 . 2009-10-25 10:52 16 ----a-w- c:\windows\msocreg32.dat

2009-11-14 00:52 . 2009-11-14 00:52 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

2009-10-29 07:45 . 2006-02-24 19:26 916480 ------w- c:\windows\system32\wininet.dll

2009-10-21 06:00 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-16 16:09 . 2009-03-12 21:50 117760 ----a-w- c:\documents and settings\Ziehos\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Ziehos\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

2009-10-13 10:53 . 2006-05-14 09:13 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2003-03-31 12:00 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2003-03-31 12:00 112128 ----a-w- c:\windows\system32\rastls.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of C:\askkicker2.exe ----

2009-12-24 00:56 . 2009-12-24 00:56 3863294 ----a-w- c:\askkicker2.exe\ComboFix.exe

2009-12-24 00:53 . 2009-12-24 00:53 388608 ----a-r- c:\askkicker2.exe\CF11934.cfxxe

2009-12-24 00:53 . 2000-08-31 14:00 141312 ----a-r- c:\askkicker2.exe\ComboFix-Download.cfxxe

---- Directory of C:\frequencyemulations ----

2009-12-24 00:40 . 2009-12-24 00:40 2402432 ----a-w- c:\frequencyemulations\ATTRACTMATE-GENERAL-1-Elixir.mp3

2009-12-24 00:40 . 2009-12-24 00:40 1202304 ----a-w- c:\frequencyemulations\AnxietyFree-Elixir.mp3

2009-12-24 00:39 . 2009-12-24 00:40 2402432 ----a-w- c:\frequencyemulations\SLEEPPRIMER-BEFORESLEEP-Elixir.mp3

2009-12-24 00:39 . 2009-12-24 00:39 1202304 ----a-w- c:\frequencyemulations\HEALVIAMANYLEVELS-Elixir.mp3

2009-12-24 00:35 . 2009-12-24 00:35 821801 ----a-w- c:\frequencyemulations\dmae3.mp3

2009-12-24 00:35 . 2009-12-24 00:35 800706 ----a-w- c:\frequencyemulations\heartgroove.mp3

2009-12-24 00:34 . 2009-12-24 00:34 821376 ----a-w- c:\frequencyemulations\blockrem.mp3

2009-12-24 00:34 . 2009-12-24 00:34 809850 ----a-w- c:\frequencyemulations\negaway.mp3

2009-12-24 00:33 . 2009-12-24 00:33 800417 ----a-w- c:\frequencyemulations\lsd5.mp3

2009-12-24 00:33 . 2009-12-24 00:33 822369 ----a-w- c:\frequencyemulations\mentalstamina.mp3

2009-12-24 00:32 . 2009-12-24 00:32 799722 ----a-w- c:\frequencyemulations\youthret2.mp3

2009-12-24 00:32 . 2009-12-24 00:32 821334 ----a-w- c:\frequencyemulations\mmfizz.mp3

2009-12-24 00:32 . 2009-12-24 00:32 800478 ----a-w- c:\frequencyemulations\goodluck.mp3

2009-12-24 00:32 . 2009-12-24 00:32 821805 ----a-w- c:\frequencyemulations\amethyst3.mp3

2009-12-24 00:02 . 2009-12-24 00:04 24001503 ----a-w- c:\frequencyemulations\salviacosmic.mp3

---- Directory of C:\safelinecell ----

2009-12-24 03:33 . 2009-12-24 03:34 13730436 ----a-w- c:\safelinecell\srb.zip

2009-12-24 03:06 . 2009-12-24 03:06 55704 ----a-w- c:\safelinecell\form.pdf

2009-12-24 03:06 . 2009-12-24 03:06 24 ----a-w- c:\safelinecell\safelinkID.txt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Ziehos\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]

"nwiz"="nwiz.exe" [2006-10-22 1622016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 22:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hawking Wireless Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hawking Wireless Utility.lnk

backup=c:\windows\pss\Hawking Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk

backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2008-04-01 09:39 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]

1998-12-01 00:04 497376 ----a-w- c:\windows\p_981116.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-10-30 15:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]

2008-08-14 22:11 565008 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2008-08-14 22:15 2407184 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2003-07-13 08:49 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2008-03-14 23:50 233472 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2008-08-12 23:19 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-11-15 10:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-01-26 21:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2007-01-27 21:42 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Common Files\\System\\WGAcrack.exe"=

"c:\\Program Files\\Neuro-Programmer 2 Professional\\Neuro-Programmer 2.exe"=

"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=

"c:\\Program Files\\Common Files\\LogiShrd\\LVCOMSER\\LVComSer.exe"=

"c:\\Documents and Settings\\Ziehos\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5060:UDP"= 5060:UDP:magicjack

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8/9/2005 5:52 PM 75904]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

S3 ZD1211U(Hawking Technologies);HWL2 WiFi Locator Professional Edition(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [4/16/2006 5:58 PM 274944]

S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [4/16/2006 5:58 PM 19200]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/7/2007 6:16 PM 717296]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Ahyegpry

EsauZxyanod

.

Contents of the 'Scheduled Tasks' folder

2009-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-01 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: &Search - ?p=ZNfox000

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download web site with Free Download Manager - file://c:\program files\Free Download Manager\dlpage.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab

FF - ProfilePath - c:\documents and settings\Ziehos\Application Data\Mozilla\Firefox\Profiles\z1c93oeu.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - plugin: c:\documents and settings\Ziehos\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\Ziehos\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: XUL Cache: {2F78DA98-0254-4257-A99B-BCED53DFCB9E} - c:\documents and settings\Ziehos\Local Settings\Application Data\{2F78DA98-0254-4257-A99B-BCED53DFCB9E}\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-01 12:27

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\System32\NavLogon.dll

- - - - - - - > 'explorer.exe'(7152)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\ewido anti-spyware 4.0\guard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\System32\NOTEPAD.EXE

c:\documents and settings\Ziehos\Application Data\mjusbsp\magicJack.exe

.

**************************************************************************

.

Completion time: 2010-01-01 12:34:06 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-01 18:34

ComboFix2.txt 2009-12-30 13:43

ComboFix3.txt 2009-12-24 01:33

ComboFix4.txt 2009-11-23 12:07

ComboFix5.txt 2010-01-01 18:17

Pre-Run: 1,234,313,216 bytes free

Post-Run: 1,162,719,232 bytes free

- - End Of File - - 5741342C2B405BD33C80120295A4F7E2

Link to post
Share on other sites

  • Staff

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

alright did full scan here's the report still cannot modify my desktop wallpaper/background because tabs are missing, internet explorer seems to be missing pictures I usually use mozilla firefox thoguh so this doesn't matter much to me.

Online Scanner - Scanning Report - Wednesday, January 6, 2010 11:57:11

Scanning Report

Wednesday, January 6, 2010 10:44:05 - 11:57:11

Computer name: SCOTT

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

12 malware found

TrackingCookie.Atdmt (spyware)

  • System (Disinfected)

TrackingCookie.Doubleclick (spyware)

  • System (Disinfected)

TrackingCookie.Revsci (spyware)

  • System (Disinfected)

TrackingCookie.Adbrite (spyware)

  • System (Disinfected)

Trojan.Generic.1725774 (spyware)

  • System (Disinfected)

Gen:Trojan.Heur.bu1@zGoSS1pi (spyware)

  • System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

  • System (Disinfected)

Backdoor.Generic.58076 (virus)

  • C:\WINDOWS\DRIVER\I386\WINLOGON.EXE (Renamed & Submitted)

Trojan.Generic.1173892 (virus)

  • C:\PROGRAM FILES\NEURO-PROGRAMMER 2 PROFESSIONAL\BASSSYNC.DLL (Renamed & Submitted)

Trojan.Generic.2654825 (virus)

  • C:\PROGRAM FILES\MOZILLA FIREFOX\A.EXE (Renamed & Submitted)

Backdoor.Generic.203825 (virus)

  • C:\DOCUMENTS AND SETTINGS\ZIEHOS\MY DOCUMENTS\DOWNLOADS\IK.MULTIMEDIA.AMPLITUBE.FENDER.V1.0.VST.RTAS.INCL.DYNAMICS.EXE (Renamed & Submitted)

Trojan.Generic.1227114 (virus)

  • C:\PROGRAM FILES\DOWNLOADS\MALWAREBYTES' ANTI-MALWARE 1.32.EXE (Renamed)

Statistics

Scanned:

  • Files: 37722
  • System: 4064
  • Not scanned: 7

Actions:

  • Disinfected: 7
  • Renamed: 5
  • Deleted: 0
  • Not cleaned: 0
  • Submitted: 4

Files not scanned:

  • C:\PAGEFILE.SYS
  • C:\WINDOWS\SYSTEM32\CONFIG\SAM
  • C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
  • C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
  • C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
  • C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
  • C:\DOCUMENTS AND SETTINGS\ZIEHOS\LOCAL SETTINGS\TEMP\ETILQS_YFXF7JKTLZJVFRSRJAMC

Options

Scanning engines: Scanning options:

  • Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
  • Use advanced heuristics

here's the securitycheck.exe log

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 2

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

ewido anti-spyware 4.0

Spybot - Search & Destroy

SUPERAntiSpyware Free Edition

Trojan Remover 6.8.1

HijackThis 2.0.2

CCleaner

Java 6 Update 14

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.2

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Ziehos LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe

Ziehos LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe

Ziehos LOCALS~1 Temp fsonlinescanner.exe

``````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

Link to post
Share on other sites

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"Hidden"=dword:00000002

"ShowCompColor"=dword:00000001

"HideFileExt"=dword:00000001

"DontPrettyPath"=dword:00000000

"ShowInfoTip"=dword:00000001

"HideIcons"=dword:00000000

"MapNetDrvBtn"=dword:00000000

"WebView"=dword:00000001

"Filter"=dword:00000000

"SuperHidden"=dword:00000000

"SeparateProcess"=dword:00000000

"ListviewAlphaSelect"=dword:00000001

"ListviewShadow"=dword:00000001

"ListviewWatermark"=dword:00000001

"TaskbarAnimations"=dword:00000001

"StartMenuInit"=dword:00000002

"StartButtonBalloonTip"=dword:00000002

"TaskbarSizeMove"=dword:00000001

"TaskbarGlomming"=dword:00000000

"ServerAdminUI"=dword:00000000

"CascadeNetworkConnections"="YES"

"Start_AdminToolsRoot"=dword:00000000

"EnableBalloonTips"=dword:00000000

"Start_ShowNetPlaces_ShouldShow"=dword:00000041

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoDriveTypeAutoRun"=dword:00000143

"NoBandCustomize"=dword:00000000

"NoDriveAutoRun"=dword:03ffffff

"NoDrives"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

Link to post
Share on other sites

  • Staff

Hi,

Download this Registry Search by Bobbi Flekman, save it, and extract regsearch.exe to the Desktop. You will use it in a moment.

Doubleclick regsearch.exe to start it. In the top window, enter wallpaper as the search string on the first line. Make sure all the option boxes are checked, and click "Ok". Notepad will be opened with text in it (the file will be saved to the Desktop as well as RegSearch.txt). Post this text in your next reply.

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

First, please back your Registry with ERUNT.

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Please open Notepad. Copy and paste the following text (starting with REGEDIT4) into the Notepad document.

Navigate to File --> Save As..., and save the file as Fix.reg (make sure the Save As Type is set to All Files).

Save it to your Desktop.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoActiveDesktopChanges"=hex:00,00,00,00

"NoActiveDesktop"=dword:00000000

"NoSaveSettings"=dword:00000000

"ClassicShell"=dword:00000000

"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"NoDispAppearancePage"=dword:00000000

"NoColorChoice"=dword:00000000

"NoSizeChoice"=dword:00000000

"NoDispBackgroundPage"=dword:00000000

"NoDispScrSavPage"=dword:00000000

"NoDispCPL"=dword:00000000

"NoVisualStyleChoice"=dword:00000000

"NoDispSettingsPage"=dword:00000000

"NoDispScrSavPage"=dword:00000000

"NoVisualStyleChoice"=dword:00000000

"NoSizeChoice"=dword:00000000

"SetVisualStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]

"ThemeActive"="1"

"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\

00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\

6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\

00,00,00

Now navigate to your Desktop, and double click fix.reg (Click Yes to the prompt)

Restart your computer and see if the tabs were restored.

Link to post
Share on other sites

sorry for the delay, I tried the exactly what was pasted last time and just tried doing all the steps over again right now. I ran erunt saved backup to the folder and double clicked fix.reg(with all the text in it) it just opens no errors and no prompt like you said, restarted computer immediately and everything is still the same.

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java™ 6 Update 14

Adobe Reader 8.1.2

Restart your computer.

Get the latest version of Java and Adobe Reader.

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful, and if it fixes the problem.

-screen317

Link to post
Share on other sites

I have the most recent versions of adobe and java and the older versions were uninstalled earlier. I tried installing service pack 3 it got to the end of the installation(said it was cleaning up) and I noticed it kept refreshing the desktop like it was stalled trying to do something. I opened the taskmanager and saw that update.exe kept opening and closing; the whole installation window eventually closed by itself leaving me with service pack 2. I don't know how else to install so I don't know what else to do?

Link to post
Share on other sites

ok whoops sorry for double post,but it did update I thought since the window closed it wasn't going to work but it asked me later if I wanted to restart and I did. I now have service pack 3 ,but there are still tabs missing under properties where I change the desktop wallpaper. I still cannot change the wallpaper so no issues resolved.

Link to post
Share on other sites

  • Staff

Hi,

First, please back your Registry with ERUNT.

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Please open Notepad. Copy and paste the following text (starting with REGEDIT4) into the Notepad document.

Navigate to File --> Save As..., and save the file as Fix.reg (make sure the Save As Type is set to All Files).

Save it to your Desktop.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoThemesTab"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoThemesTab"=dword:00000000

"NoDispScrSavPage"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"NoDispScrSavPage"=dword:00000000

Now navigate to your Desktop, and double click fix.reg (Click Yes to the prompt)

Restart your computer and see if it is fixed.

-screen317

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.