|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
Adyield manager, popups and more..
|
Original Message
|
Name: liitro
Date: August 17, 2008 at 05:15:37 Pacific
Subject: Adyield manager, popups and more..OS: windows XPCPU/Ram: AMD64 3200+ 1024mbModel/Manufacturer: HP |
Comment: Hey guys! Recently I've started to have this problem: I get adyieldmanager spyware ads at most of the sites I visit, which keep making beeping noice and shaking :( (example: http://imageshack.dk/imagesfree/hzg... 2 right there) On top of that I get Internet Explorer pop-ups even though I use Firefox, Google search isn't working and some webpages
don't open at all (other computer opens them just fine) I've scanned my computer with AvastAV, Ad-Aware and I have ZoneAlarm installed.I'm out of tricks help!
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: jabuck
Date: August 17, 2008 at 07:20:55 Pacific
|
Reply: (edit) Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: liitro
Date: August 17, 2008 at 07:45:32 Pacific
|
Reply: (edit)Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:43:19, on 17.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mIRC\mirc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kige\Työpöytä\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: HP-näkymä - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [8cade0cd] rundll32.exe "C:\WINDOWS\system32\ckmxwduy.dll",b
O4 - HKLM\..\Run: [BM8f9ed351] Rundll32.exe "C:\WINDOWS\system32\vebvcakp.dll",s
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Lataa FlashGetillä
- C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Lataa kaikki FlashGetillä
- C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C1FFBCD-49FB-4713-B71E-51DBC4666BA5}: NameServer = 192.168.2.1
O20 - AppInit_DLLs: jrnehv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect -palvelu (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe --
End of file - 8602 bytes
There you go.
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: jabuck
Date: August 17, 2008 at 08:31:43 Pacific
|
Reply: (edit) Please download Malwarebytes' Anti-Malware from one of these sites: MalwareBytes1 MalwareBytes2
Be sure to follow the instructions in step 6 after the scan han finished.
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: liitro
Date: August 17, 2008 at 11:42:44 Pacific
|
Reply: (edit)I ran the Anti-Malvares scan and it found a bunch of infected files and I deleted them all.
Had some troubles though with ComboFix, my computer stalled the moment i started scan (clock didn't move etc.) even though i didn't do anything. Anyway, I think the A-M scan was enough, because all the problems disappeared, thanks a lot! Here's the A-M log: Malwarebytes' Anti-Malware 1.24
Tietokantaversio: 1061
Windows 5.1.2600 Service Pack 2 20:50:54 17.8.2008
mbam-log-8-17-2008 (20-50-54).txt Tarkistustyyppi: Pikatarkistus
Tarkistetut kohteet: 43079
Kulunut aika: 3 minute(s), 13 second(s) Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 4
Saastuneita rekisteriavaimia: 22
Saastuneita rekisteriarvoja: 6
Saastuneita rekisterikohteita: 2
Saastuneita hakemistoja: 6
Saastuneita tiedostoja: 37 Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty) Saastuneita muistimoduuleja:
C:\WINDOWS\system32\ckmxwduy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\khfETkIa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jrnehv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ljJAPJcD.dll (Trojan.Vundo) -> Delete on reboot. Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34d928d0-a63d-441f-9b81-cca92591ff87} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{34d928d0-a63d-441f-9b81-cca92591ff87} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8dba8c59-b360-4d2d-8d63-9d0a68ea25b8} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8dba8c59-b360-4d2d-8d63-9d0a68ea25b8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6bc03760-586e-4d52-9fca-b4ac1415bf16} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6bc03760-586e-4d52-9fca-b4ac1415bf16} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjapjcd (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully. Saastuneita rekisteriarvoja:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8cade0cd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6bc03760-586e-4d52-9fca-b4ac1415bf16} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm8f9ed351 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\adwarealert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\adwarealert\filterdrv\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\käynnistä-valikko\ohjelmat\adwarealert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully. Saastuneita rekisterikohteita:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfetkia -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfetkia -> Delete on reboot. Saastuneita hakemistoja:
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kige\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kige\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kige\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully. Saastuneita tiedostoja:
C:\WINDOWS\system32\jrnehv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\khfETkIa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aIkTEfhk.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aIkTEfhk.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ckmxwduy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yudwxmkc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJAPJcD.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\jugrxn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tcbqiqbi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaoxvupx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\heisjejx.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.url (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\DataBase.ref (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Difxapi.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\SpyCleaner.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\vistaCPtasks.xml (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.amd64.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.cat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.inf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.x86.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kige\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kige\Application Data\AdwareAlert\Log\2008 Aug 17 - 01_30_18 PM_453.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kige\Application Data\AdwareAlert\Log\2008 Aug 17 - 01_30_21 PM_718.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kige\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vebvcakp.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnljkLf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8f9ed351.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8f9ed351.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Työpöytä\AdwareAlert.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: jabuck
Date: August 17, 2008 at 14:31:12 Pacific
|
Reply: (edit)The computer is not clean yet as Malwarebytes can only partially remove vundo in most cases, in a very short time it will return. Also you selected some other language than english for malwarebytes when you installed it, uninstall that and reinstall it and select english fo the language. Combofix was damaged during the attempt to run it, go to start> run> type combofix /u (note the space after combofix) then press enter. This will uninstall combofix. Reinstall combofix. As the note in the Combofix spill said running any antispyware,antivirus and realtime protection can damage combofix and give unexpected results. I your case go offline, turn off Norton's antivirus, if equipt with script blocker turn that off also, turn off or uninstall Ad-aware, turn off Avast, then run combofix. Also you have two antivirus programs running, you need to decide which one you like the best and uninstall the other as they will conflict and cause you problems. Please run combofix and post a log but make sure your antivirus is running when you get back online.
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: liitro
Date: August 18, 2008 at 01:26:17 Pacific
|
Reply: (edit)OK.. I reinstalled Anti-Malvare, uninstalled Norton (it came with the computer and I didn't notice it until now) and ran ComboFix again. Here's the log: ComboFix 08-08-17.03 - Kige 2008-08-18 11:20:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.653 [GMT 3:00]
Running from: C:\Documents and Settings\Kige\Työpöytä\ComboFix.exe
* Created a new restore point
. (((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
. C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\IA
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\p1
C:\WINDOWS\system32\ypcfwhyc.ini
D:\Autorun.inf .
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-07-18 to 2008-08-18 )))))))))))))))))
. 2008-08-18 11:18 . 2008-08-18 11:18 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 11:18 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 11:18 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 09:23 . 2008-08-18 09:23 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\Application Data\Logitech
2008-08-17 20:45 . 2008-08-17 20:45 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Malwarebytes
2008-08-17 20:45 . 2008-08-17 20:45 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 00:38 . 2008-08-17 00:38 <KANSIO> d-------- C:\Program Files\War3Patcher
2008-08-17 00:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-16 23:57 . 2008-08-16 23:57 <KANSIO> d-------- C:\WINDOWS\system32\kBin19
2008-08-16 23:57 . 2008-08-16 23:57 <KANSIO> d-------- C:\Temp\epr1
2008-08-16 23:57 . 2008-08-18 11:20 <KANSIO> d-------- C:\Temp
2008-08-16 13:28 . 2008-08-16 13:28 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\teamspeak2
2008-08-15 21:01 . 2008-08-15 21:01 <KANSIO> d-------- C:\Program Files\Mio Technology
2008-08-14 21:05 . 2008-08-14 21:05 <KANSIO> d-------- C:\games
2008-08-14 21:02 . 2008-08-14 21:08 <KANSIO> d-------- C:\Program Files\DOSBox-0.72
2008-08-11 21:15 . 2008-08-11 21:15 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\AdobeUM
2008-08-11 19:22 . 2007-04-11 01:23 37,768 -ra------ C:\WINDOWS\system32\drivers\OLD3A71.tmp
2008-08-11 19:22 . 2004-09-14 16:07 31,744 --a------ C:\WINDOWS\system32\drivers\wceusbsh.sys
2008-08-11 19:22 . 2004-09-14 16:07 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2008-08-11 12:03 . 2008-08-11 12:03 <KANSIO> d-------- C:\WINDOWS\Sun
2008-08-11 12:03 . 2008-08-11 12:03 <KANSIO> d-------- C:\WINDOWS\.jagex_cache_32
2008-08-11 12:03 . 2008-08-15 13:43 24 --a------ C:\Documents and Settings\Kige\jagex_runescape_preferences.dat
2008-08-09 12:39 . 2008-08-09 12:39 <KANSIO> d-------- C:\Program Files\Common Files\Adobe
2008-08-06 15:31 . 2008-08-06 15:31 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\InterVideo
2008-08-06 15:00 . 2008-08-08 18:09 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-08-06 15:00 . 2008-08-06 15:00 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-08-06 15:00 . 2008-08-08 18:09 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-06 14:29 . 2008-08-06 14:29 <KANSIO> d-------- C:\Program Files\America's Army Server Manager
2008-08-06 14:28 . 2008-08-06 15:12 <KANSIO> d-------- C:\Program Files\America's Army
2008-08-03 20:34 . 2008-08-17 16:24 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\OpenOffice.org2
2008-08-02 19:58 . 2008-08-16 23:47 <KANSIO> d-------- C:\Program Files\EurobetPoker
2008-08-01 21:59 . 2008-08-01 21:59 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-01 19:52 . 2008-08-06 13:05 <KANSIO> d-------- C:\COSMO
2008-08-01 04:33 . 2008-08-01 04:33 <KANSIO> d-------- C:\Program Files\MSXML 4.0
2008-07-31 23:32 . 2008-08-18 11:17 246 --a------ C:\WINDOWS\system\hpsysdrv.dat
2008-07-31 23:31 . 2008-07-31 13:42 <KANSIO> d-------- C:\WINDOWS\I386
2008-07-31 23:27 . 2008-08-18 11:18 <KANSIO> dr------- C:\Program Files
2008-07-31 23:27 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\Default User\Käynnistä-valikko
2008-07-31 23:27 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\All Users\Tiedostot
2008-07-31 23:27 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\All Users\Käynnistä-valikko
2008-07-31 23:26 . 2008-08-15 21:04 <KANSIO> dr-hs---- C:\WINDOWS\system32\dllcache
2008-07-31 23:26 . 2008-07-31 23:30 <KANSIO> dr------- C:\WINDOWS\system32\config\systemprofile\Käynnistä-valikko
2008-07-31 23:24 . 2008-06-14 20:59 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-31 23:24 . 2008-06-14 20:59 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-31 22:22 . 2005-02-25 06:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-31 22:19 . 2008-07-31 22:19 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Media Player Classic
2008-07-31 22:19 . 2008-07-31 22:19 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\DivX
2008-07-31 18:41 . 2008-08-01 00:22 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Ventrilo
2008-07-31 18:15 . 2008-07-31 18:15 <KANSIO> d-------- C:\Logs
2008-07-31 18:01 . 2008-08-06 15:00 <KANSIO> d-------- C:\WINDOWS\system32\LogFiles
2008-07-31 17:34 . 2008-08-02 19:32 <KANSIO> d-------- C:\Program Files\World of Warcraft
2008-07-31 17:34 . 2008-07-31 17:48 <KANSIO> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-31 16:45 . 2008-07-31 16:45 <KANSIO> d-------- C:\Program Files\OpenOffice.org 2.4
2008-07-31 16:43 . 2008-08-17 16:11 <KANSIO> d-------- C:\Program Files\mIRC
2008-07-31 16:43 . 2008-08-17 16:11 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\NoNameScript
2008-07-31 16:43 . 2008-07-31 16:43 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\mIRC
2008-07-31 16:40 . 2008-07-31 16:40 <KANSIO> d-------- C:\Program Files\Combined Community Codec Pack
2008-07-31 16:38 . 2008-07-31 16:38 <KANSIO> d-------- C:\Program Files\VentriloMIX
2008-07-31 16:38 . 2008-07-31 16:38 <KANSIO> d-------- C:\Program Files\DivX
2008-07-31 16:38 . 2008-06-11 03:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-31 16:38 . 2008-06-11 03:07 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-31 16:38 . 2008-06-11 03:07 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-31 16:35 . 2008-07-31 16:35 <KANSIO> d-------- C:\Program Files\QuickSFV
2008-07-31 16:28 . 2008-07-31 16:29 <KANSIO> d-------- C:\Program Files\Winamp
2008-07-31 16:28 . 2008-08-01 23:39 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Winamp
2008-07-31 16:24 . 2008-07-31 22:21 <KANSIO> d-------- C:\Program Files\FlashGet
2008-07-31 16:24 . 2004-09-15 05:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg
2008-07-31 16:17 . 2008-07-31 16:17 <KANSIO> d-------- C:\Program Files\DAEMON Tools Lite
2008-07-31 16:13 . 2008-07-31 16:13 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\DAEMON Tools
2008-07-31 16:13 . 2008-07-31 16:13 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-31 14:35 . 2004-09-14 16:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-31 14:35 . 2004-09-14 16:07 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-07-31 14:35 . 2001-10-05 15:59 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-31 14:34 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-31 14:34 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-31 14:16 . 2008-07-31 14:24 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-07-31 14:16 . 2008-08-17 00:43 120,367 --a------ C:\WINDOWS\War3Unin.dat
2008-07-31 14:16 . 2008-07-31 14:24 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-07-31 14:13 . 2008-08-17 23:17 <KANSIO> d-------- C:\Program Files\Warcraft III
2008-07-31 14:07 . 2008-07-31 14:09 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-31 14:06 . 2008-07-31 14:06 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\MailFrontier
2008-07-31 14:04 . 2008-08-18 11:21 3,336,224 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-31 14:04 . 2008-08-18 09:28 40,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-31 14:00 . 2008-07-31 14:00 <KANSIO> d-------- C:\Program Files\Zone Labs
2008-07-31 14:00 . 2008-07-31 16:19 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-31 13:58 . 2008-08-06 03:15 <KANSIO> d-------- C:\WINDOWS\Internet Logs
2008-07-31 13:57 . 2008-07-31 13:57 <KANSIO> d-------- C:\Program Files\Alwil Software
2008-07-31 13:53 . 2008-07-31 13:53 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Logitech
2008-07-31 13:53 . 2008-07-31 13:53 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-07-31 13:52 . 2008-07-31 13:52 <KANSIO> d-------- C:\Program Files\Logitech
2008-07-31 13:52 . 2008-07-31 13:52 <KANSIO> d-------- C:\Program Files\Common Files\Logishrd
2008-07-31 13:52 . 2008-07-31 13:52 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\InstallShield
2008-07-31 13:52 . 2008-07-31 13:52 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-31 13:52 . 2008-05-02 02:38 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-07-31 13:52 . 2008-05-02 02:39 170,512 --a------ C:\WINDOWS\system32\kemutb.dll
2008-07-31 13:52 . 2008-05-02 02:39 145,936 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-07-31 13:52 . 2008-05-02 02:40 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-07-31 13:52 . 2008-05-02 02:40 84,496 --a------ C:\WINDOWS\system32\KemXML.dll
2008-07-31 13:50 . 2008-07-31 13:50 <KANSIO> d-------- C:\WINDOWS\Logs
2008-07-31 13:46 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-31 13:46 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-31 13:45 . 2008-07-31 13:45 <KANSIO> d-------- C:\NVIDIA
2008-07-31 13:44 . 2008-07-31 13:44 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-31 13:42 . 2005-01-01 16:42 <KANSIO> d-------- C:\Documents and Settings\Kige\WINDOWS
2008-07-31 13:42 . 2004-12-14 20:30 <KANSIO> d--h----- C:\Documents and Settings\Kige\Verkkoympäristö
2008-07-31 13:42 . 2008-08-18 11:19 <KANSIO> d-------- C:\Documents and Settings\Kige\Työpöytä
2008-07-31 13:42 . 2004-12-14 20:30 <KANSIO> d--h----- C:\Documents and Settings\Kige\Tulostinympäristö
2008-07-31 13:42 . 2008-07-31 13:42 <KANSIO> dr------- C:\Documents and Settings\Kige\Suosikit
2008-07-31 13:42 . 2008-08-09 12:39 <KANSIO> dr------- C:\Documents and Settings\Kige\Omat tiedostot
2008-07-31 13:42 . 2008-07-31 23:31 <KANSIO> d--h----- C:\Documents and Settings\Kige\Mallit
2008-07-31 13:42 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\Kige\Käynnistä-valikko
2008-07-31 13:42 . 2008-08-06 03:10 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Symantec
2008-07-31 13:42 . 2005-01-01 16:51 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\SampleView
2008-07-31 13:42 . 2005-01-01 16:42 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Apple Computer
2008-07-31 13:42 . 2008-08-18 09:24 <KANSIO> d-------- C:\Documents and Settings\Kige
2008-07-31 13:39 . 2005-01-01 16:42 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\WINDOWS
2008-07-31 13:39 . 2004-12-14 20:30 <KANSIO> d--h----- C:\Documents and Settings\HP_Omistaja\Verkkoympäristö
2008-07-31 13:39 . 2008-07-31 13:40 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\Työpöytä
2008-07-31 13:39 . 2004-12-14 20:30 <KANSIO> d--h----- C:\Documents and Settings\HP_Omistaja\Tulostinympäristö
2008-07-31 13:39 . 2008-07-31 13:40 <KANSIO> dr------- C:\Documents and Settings\HP_Omistaja\Suosikit
2008-07-31 13:39 . 2008-07-31 13:40 <KANSIO> dr------- C:\Documents and Settings\HP_Omistaja\Omat tiedostot
2008-07-31 13:39 . 2008-07-31 23:31 <KANSIO> d--h----- C:\Documents and Settings\HP_Omistaja\Mallit
2008-07-31 13:39 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\HP_Omistaja\Käynnistä-valikko
2008-07-31 13:39 . 2005-01-01 16:58 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\Application Data\Symantec
2008-07-31 13:39 . 2005-01-01 16:51 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\Application Data\SampleView .
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 08:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-18 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-18 06:27 --------- d-----w C:\Program Files\Symantec
2008-08-16 21:38 --------- d-----w C:\Program Files\War3Patcher
2008-08-16 21:37 --------- d-----w C:\Program Files\Java
2008-08-15 18:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 20:31 669,184 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-08-03 02:33 473,088 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-08-03 02:33 1,588,736 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-08-02 00:14 488,448 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-31 19:23 523,264 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-31 13:38 --------- d-----w C:\Program Files\VentriloMIX
2008-07-31 11:01 2,593 ----a-w C:\WINDOWS\Internet Logs\~GLBS383.TMP
2008-07-09 06:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 06:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:49 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-06-20 17:41 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 246,784 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-30 11:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 11:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 11:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 11:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 11:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 11:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 11:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
. (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-21 11:30 486856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 22:34 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 22:29 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-26 00:17 90112]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 17:38 78008]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 23:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 03:12 76304 C:\WINDOWS\KHALMNPR.Exe] C:\WINDOWS\system32\config\systemprofile\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
AutoTBar.exe [2003-09-30 22:30:04 57344] C:\WINDOWS\system32\config\systemprofile\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
AutoTBar.exe [2003-09-30 22:30:04 57344] C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-31 13:52:25 805392] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jrnehv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Kige^Käynnistä-valikko^Ohjelmat^Käynnistys^OpenOffice.org 2.4.lnk]
path=C:\Documents and Settings\Kige\Käynnistä-valikko\Ohjelmat\Käynnistys\OpenOffice.org 2.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.4.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-10-14 00:04 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-15 00:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 17:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 17:37]
R3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 21:54] *Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - - MSConfigStartUp-WinampAgent - C:\Program Files\Winamp\winampa.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kige\Application Data\Mozilla\Firefox\Profiles\xfc1o1s4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.fi/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 11:21:50
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
Completion time: 2008-08-18 11:22:27
ComboFix-quarantined-files.txt 2008-08-18 08:22:24 Pre-Run: 169,526,587,392 tavua vapaana
Post-Run: 169,526,996,992 tavua vapaana 275 --- E O F --- 2008-08-15 00:00:53
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: jabuck
Date: August 18, 2008 at 15:04:37 Pacific
|
Reply: (edit)Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ypcfwhyc.ini
D:\Autorun.inf
Driver::
jrnehv Folder::
C:\WINDOWS\system32\p1
C:\Temp\1cb
C:\WINDOWS\IA
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\kBin19
C:\Temp\epr1
C:\Temp
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log.
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
Name: liitro
Date: August 19, 2008 at 02:03:21 Pacific
|
Reply: (edit)ComboFix 08-08-17.03 - Kige 2008-08-19 11:56:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.710 [GMT 3:00]
Running from: C:\Documents and Settings\Kige\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kige\Työpöytä\CFScript.txt
* Created a new restore point FILE ::
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ypcfwhyc.ini
D:\Autorun.inf
. (((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
. C:\Temp
C:\Temp\epr1\K19i.log
C:\WINDOWS\system32\kBin19
C:\WINDOWS\system32\kBin19\kBin191065.exe .
((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-07-19 to 2008-08-19 )))))))))))))))))
. 2008-08-18 11:18 . 2008-08-18 11:18 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 11:18 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 11:18 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 09:23 . 2008-08-18 09:23 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\Application Data\Logitech
2008-08-17 20:45 . 2008-08-17 20:45 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Malwarebytes
2008-08-17 20:45 . 2008-08-17 20:45 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 00:38 . 2008-08-17 00:38 <KANSIO> d-------- C:\Program Files\War3Patcher
2008-08-17 00:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-16 13:28 . 2008-08-16 13:28 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\teamspeak2
2008-08-15 21:01 . 2008-08-15 21:01 <KANSIO> d-------- C:\Program Files\Mio Technology
2008-08-14 21:05 . 2008-08-14 21:05 <KANSIO> d-------- C:\games
2008-08-14 21:02 . 2008-08-14 21:08 <KANSIO> d-------- C:\Program Files\DOSBox-0.72
2008-08-11 21:15 . 2008-08-11 21:15 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\AdobeUM
2008-08-11 19:22 . 2007-04-11 01:23 37,768 -ra------ C:\WINDOWS\system32\drivers\OLD3A71.tmp
2008-08-11 19:22 . 2004-09-14 16:07 31,744 --a------ C:\WINDOWS\system32\drivers\wceusbsh.sys
2008-08-11 19:22 . 2004-09-14 16:07 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2008-08-11 12:03 . 2008-08-11 12:03 <KANSIO> d-------- C:\WINDOWS\Sun
2008-08-11 12:03 . 2008-08-11 12:03 <KANSIO> d-------- C:\WINDOWS\.jagex_cache_32
2008-08-11 12:03 . 2008-08-15 13:43 24 --a------ C:\Documents and Settings\Kige\jagex_runescape_preferences.dat
2008-08-09 12:39 . 2008-08-09 12:39 <KANSIO> d-------- C:\Program Files\Common Files\Adobe
2008-08-06 15:31 . 2008-08-06 15:31 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\InterVideo
2008-08-06 15:00 . 2008-08-08 18:09 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-08-06 15:00 . 2008-08-06 15:00 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-08-06 15:00 . 2008-08-08 18:09 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-06 14:29 . 2008-08-06 14:29 <KANSIO> d-------- C:\Program Files\America's Army Server Manager
2008-08-06 14:28 . 2008-08-06 15:12 <KANSIO> d-------- C:\Program Files\America's Army
2008-08-03 20:34 . 2008-08-19 03:15 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\OpenOffice.org2
2008-08-02 19:58 . 2008-08-16 23:47 <KANSIO> d-------- C:\Program Files\EurobetPoker
2008-08-01 21:59 . 2008-08-01 21:59 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-01 19:52 . 2008-08-06 13:05 <KANSIO> d-------- C:\COSMO
2008-08-01 04:33 . 2008-08-01 04:33 <KANSIO> d-------- C:\Program Files\MSXML 4.0
2008-07-31 23:32 . 2008-08-19 12:00 246 --a------ C:\WINDOWS\system\hpsysdrv.dat
2008-07-31 23:31 . 2008-07-31 13:42 <KANSIO> d-------- C:\WINDOWS\I386
2008-07-31 23:27 . 2008-08-18 11:18 <KANSIO> dr------- C:\Program Files
2008-07-31 23:27 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\Default User\K„ynnist„-valikko
2008-07-31 23:27 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\All Users\Tiedostot
2008-07-31 23:27 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\All Users\K„ynnist„-valikko
2008-07-31 23:26 . 2008-08-15 21:04 <KANSIO> dr-hs---- C:\WINDOWS\system32\dllcache
2008-07-31 23:26 . 2008-07-31 23:30 <KANSIO> dr------- C:\WINDOWS\system32\config\systemprofile\K„ynnist„-valikko
2008-07-31 23:24 . 2008-06-14 20:59 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-31 23:24 . 2008-06-14 20:59 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-31 22:22 . 2005-02-25 06:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-31 22:19 . 2008-07-31 22:19 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Media Player Classic
2008-07-31 22:19 . 2008-07-31 22:19 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\DivX
2008-07-31 18:41 . 2008-08-01 00:22 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Ventrilo
2008-07-31 18:15 . 2008-07-31 18:15 <KANSIO> d-------- C:\Logs
2008-07-31 18:01 . 2008-08-06 15:00 <KANSIO> d-------- C:\WINDOWS\system32\LogFiles
2008-07-31 17:34 . 2008-08-02 19:32 <KANSIO> d-------- C:\Program Files\World of Warcraft
2008-07-31 17:34 . 2008-07-31 17:48 <KANSIO> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-31 16:45 . 2008-07-31 16:45 <KANSIO> d-------- C:\Program Files\OpenOffice.org 2.4
2008-07-31 16:43 . 2008-08-18 17:10 <KANSIO> d-------- C:\Program Files\mIRC
2008-07-31 16:43 . 2008-08-19 00:55 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\NoNameScript
2008-07-31 16:43 . 2008-07-31 16:43 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\mIRC
2008-07-31 16:40 . 2008-07-31 16:40 <KANSIO> d-------- C:\Program Files\Combined Community Codec Pack
2008-07-31 16:38 . 2008-07-31 16:38 <KANSIO> d-------- C:\Program Files\VentriloMIX
2008-07-31 16:38 . 2008-07-31 16:38 <KANSIO> d-------- C:\Program Files\DivX
2008-07-31 16:38 . 2008-06-11 03:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-31 16:38 . 2008-06-11 03:07 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-31 16:38 . 2008-06-11 03:07 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-31 16:35 . 2008-07-31 16:35 <KANSIO> d-------- C:\Program Files\QuickSFV
2008-07-31 16:28 . 2008-07-31 16:29 <KANSIO> d-------- C:\Program Files\Winamp
2008-07-31 16:28 . 2008-08-01 23:39 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Winamp
2008-07-31 16:24 . 2008-08-19 12:00 <KANSIO> d-------- C:\Program Files\FlashGet
2008-07-31 16:24 . 2004-09-15 05:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg
2008-07-31 16:17 . 2008-07-31 16:17 <KANSIO> d-------- C:\Program Files\DAEMON Tools Lite
2008-07-31 16:13 . 2008-07-31 16:13 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\DAEMON Tools
2008-07-31 16:13 . 2008-07-31 16:13 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-31 14:35 . 2004-09-14 16:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-31 14:35 . 2004-09-14 16:07 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-07-31 14:35 . 2001-10-05 15:59 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-31 14:34 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-31 14:34 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-31 14:16 . 2008-07-31 14:24 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-07-31 14:16 . 2008-08-17 00:43 120,367 --a------ C:\WINDOWS\War3Unin.dat
2008-07-31 14:16 . 2008-07-31 14:24 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-07-31 14:13 . 2008-08-17 23:17 <KANSIO> d-------- C:\Program Files\Warcraft III
2008-07-31 14:07 . 2008-07-31 14:09 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-31 14:06 . 2008-07-31 14:06 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\MailFrontier
2008-07-31 14:04 . 2008-08-19 12:00 3,487,776 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-31 14:04 . 2008-08-19 11:58 42,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-31 14:00 . 2008-07-31 14:00 <KANSIO> d-------- C:\Program Files\Zone Labs
2008-07-31 14:00 . 2008-07-31 16:19 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-31 13:58 . 2008-08-06 03:15 <KANSIO> d-------- C:\WINDOWS\Internet Logs
2008-07-31 13:57 . 2008-07-31 13:57 <KANSIO> d-------- C:\Program Files\Alwil Software
2008-07-31 13:53 . 2008-07-31 13:53 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Logitech
2008-07-31 13:53 . 2008-07-31 13:53 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-07-31 13:52 . 2008-07-31 13:52 <KANSIO> d-------- C:\Program Files\Logitech
2008-07-31 13:52 . 2008-07-31 13:52 <KANSIO> d-------- C:\Program Files\Common Files\Logishrd
2008-07-31 13:52 . 2008-07-31 13:52 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\InstallShield
2008-07-31 13:52 . 2008-07-31 13:52 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-31 13:52 . 2008-05-02 02:38 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-07-31 13:52 . 2008-05-02 02:39 170,512 --a------ C:\WINDOWS\system32\kemutb.dll
2008-07-31 13:52 . 2008-05-02 02:39 145,936 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-07-31 13:52 . 2008-05-02 02:40 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-07-31 13:52 . 2008-05-02 02:40 84,496 --a------ C:\WINDOWS\system32\KemXML.dll
2008-07-31 13:50 . 2008-07-31 13:50 <KANSIO> d-------- C:\WINDOWS\Logs
2008-07-31 13:46 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-31 13:46 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-31 13:45 . 2008-07-31 13:45 <KANSIO> d-------- C:\NVIDIA
2008-07-31 13:44 . 2008-07-31 13:44 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-31 13:42 . 2005-01-01 16:42 <KANSIO> d-------- C:\Documents and Settings\Kige\WINDOWS
2008-07-31 13:42 . 2004-12-14 20:30 <KANSIO> d--h----- C:\Documents and Settings\Kige\Verkkoymp„rist”
2008-07-31 13:42 . 2008-08-19 11:56 <KANSIO> d-------- C:\Documents and Settings\Kige\Ty”p”yt„
2008-07-31 13:42 . 2004-12-14 20:30 <KANSIO> d--h----- C:\Documents and Settings\Kige\Tulostinymp„rist”
2008-07-31 13:42 . 2008-07-31 13:42 <KANSIO> dr------- C:\Documents and Settings\Kige\Suosikit
2008-07-31 13:42 . 2008-08-09 12:39 <KANSIO> dr------- C:\Documents and Settings\Kige\Omat tiedostot
2008-07-31 13:42 . 2008-07-31 23:31 <KANSIO> d--h----- C:\Documents and Settings\Kige\Mallit
2008-07-31 13:42 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\Kige\K„ynnist„-valikko
2008-07-31 13:42 . 2008-08-06 03:10 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Symantec
2008-07-31 13:42 . 2005-01-01 16:51 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\SampleView
2008-07-31 13:42 . 2005-01-01 16:42 <KANSIO> d-------- C:\Documents and Settings\Kige\Application Data\Apple Computer
2008-07-31 13:42 . 2008-08-18 09:24 <KANSIO> d-------- C:\Documents and Settings\Kige
2008-07-31 13:39 . 2005-01-01 16:42 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\WINDOWS
2008-07-31 13:39 . 2004-12-14 20:30 <KANSIO> d--h----- C:\Documents and Settings\HP_Omistaja\Verkkoymp„rist”
2008-07-31 13:39 . 2008-07-31 13:40 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\Ty”p”yt„
2008-07-31 13:39 . 2004-12-14 20:30 <KANSIO> d--h----- C:\Documents and Settings\HP_Omistaja\Tulostinymp„rist”
2008-07-31 13:39 . 2008-07-31 13:40 <KANSIO> dr------- C:\Documents and Settings\HP_Omistaja\Suosikit
2008-07-31 13:39 . 2008-07-31 13:40 <KANSIO> dr------- C:\Documents and Settings\HP_Omistaja\Omat tiedostot
2008-07-31 13:39 . 2008-07-31 23:31 <KANSIO> d--h----- C:\Documents and Settings\HP_Omistaja\Mallit
2008-07-31 13:39 . 2008-07-31 23:30 <KANSIO> dr------- C:\Documents and Settings\HP_Omistaja\K„ynnist„-valikko
2008-07-31 13:39 . 2005-01-01 16:58 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\Application Data\Symantec
2008-07-31 13:39 . 2005-01-01 16:51 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\Application Data\SampleView
2008-07-31 13:39 . 2005-01-01 16:42 <KANSIO> d-------- C:\Documents and Settings\HP_Omistaja\Application Data\Apple Computer
2008-07-31 13:39 . 2004-09-15 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-31 13:39 . 2008-07-31 13:39 1,825 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_PX588AA-ABX w5080.fi_YC_0Pavi_QCZB520_E52FIheBLF2_47_IAHI2_S_V_B3.12_T050411_WXH2_L40B_M1023_J200_7AMD_8Athlon 64_91.99_#070610_N10EC8139_Z11C1048C_G10DE00C1_OHP DVD Writer 640b;ASUS DVD-E616P3H.MRK .
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 09:25 --------- d-----w C:\Program Files\Symantec
2008-08-18 08:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-18 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-16 21:38 --------- d-----w C:\Program Files\War3Patcher
2008-08-16 21:37 --------- d-----w C:\Program Files\Java
2008-08-15 18:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 13:38 --------- d-----w C:\Program Files\VentriloMIX
2008-07-09 06:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
. ((((((((((((((((((((((((((((( snapshot@2008-08-18_11.22.12.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-18 08:19:55 53,572 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-18 09:31:21 53,572 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-18 08:19:55 65,898 ----a-w C:\WINDOWS\system32\perfc00B.dat
+ 2008-08-18 09:31:21 65,898 ----a-w C:\WINDOWS\system32\perfc00B.dat
- 2008-08-18 08:19:55 381,828 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-18 09:31:21 381,828 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-08-18 08:19:56 356,362 ----a-w C:\WINDOWS\system32\perfh00B.dat
+ 2008-08-18 09:31:21 356,362 ----a-w C:\WINDOWS\system32\perfh00B.dat
+ 2008-08-19 08:59:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_638.dat
.
(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„ [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-21 11:30 486856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 22:34 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 22:29 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-26 00:17 90112]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Flashget"="C:\PROGRA~1\FlashGet\FlashGet.exe" [2007-09-25 11:10 2007088]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 23:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 03:12 76304 C:\WINDOWS\KHALMNPR.Exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Kige^Käynnistä-valikko^Ohjelmat^Käynnistys^OpenOffice.org 2.4.lnk]
path=C:\Documents and Settings\Kige\Käynnistä-valikko\Ohjelmat\Käynnistys\OpenOffice.org 2.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.4.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-10-14 00:04 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-15 00:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 17:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 17:37]
R3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 21:54]
.
************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 12:00:16
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
--------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
r Running Proce
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-08-19 12:02:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-19 09:02:07
ComboFix2.txt 2008-08-18 08:22:27 Pre-Run: 150,768,390,144 tavua vapaana
Post-Run: 150,757,175,296 tavua vapaana 261 --- E O F --- 2008-08-15 00:00:53
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: jabuck
Date: August 19, 2008 at 14:46:15 Pacific
|
Reply: (edit)Looks better, I don't know the Finnish language so I don't understand some of the folder names. Navigate to and delete this file if found: ALCXMNTR.EXE Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply. Please post a new Hijack This log.
Report Offensive Follow Up For Removal
|
|
|
Post Locked
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
Go to Security and Virus Forum Home
|
|
|
