|
|
|
Viruses ddcyx.dll, pos.tmp, nnnlmlk
|
Original Message
|
Name: wille
Date: December 25, 2007 at 08:52:49 Pacific
Subject: Viruses ddcyx.dll, pos.tmp, nnnlmlkOS: WINDOWS XP Home EditionCPU/Ram: 3.2 GHzModel/Manufacturer: Dunow |
Comment: Hi I have a couple of viruses as noticed in the headline. They are first nnnlmlk.dll, ddcyx.dll and ghwohquen.dll, all found in the C:\WINDOWS\system32\ folder. But I also have another virus that's pretty anoying, it makes these files in the C:\ and My Documents folders. There are like thousends of them, and they're all called pos.tmp and then some numbers and letters like this:
pos1.tmp
pos2.tmp
pos3.tmp
...
pos9.tmp
pos1a.tmp
and so on!
now I think I have about 30 000 of them. Some of them I can delete to the recykle bin and some of them it says there being used by some process, and I have no idea witch one.
ddcyx.dll was found by NoAdware5.0.
nnnlmlk.dll and ghwohquen.dll was found by Adware Away.
I have deleted them with those programs like a million times, NoAdware says it removes it but it keep finding it, Adware Away says it founds them but can't remove them, and all of those are too used by some process(es). I have read some of the posts about these but without luck to understand any of it.
Please email me if there is any more information that can be of use: wille_25@hotmail.com
Please help, I don't want to reinstall Windows again.
Please excuse the bad english. //Thanks in advance Live The Life As You Know It
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: jabuck
Date: December 25, 2007 at 09:58:47 Pacific
|
Reply: (edit) Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: wille
Date: December 25, 2007 at 10:13:30 Pacific
|
Reply: (edit)Here is the scan log as reqested: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:12:26, on 2007-12-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Avast\aswUpdSv.exe
C:\Program\Avast\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\windows
C:\Program\Bluetooth\Bluetooth-programvara\bin\btwdins.exe
C:\WINDOWS\explorer.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\itunes\iTunes.exe
C:\Program\BitLord\BitLord.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\William Lind\Application Data\U3\00001675C670C1F5\LaunchPad.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\NoAdware5.0\NoAdware5.exe
C:\Documents and Settings\William Lind\Skrivbord\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 64.92.172.26 nprotect.ryl.com.my #RYL
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O4 - HKLM\..\Run: [avast!] C:\Program\Avast\ashDisp.exe
O4 - HKLM\..\RunServices: [WinxWifi32] WinxWifi.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CFi ShellToys Utility Manager] "C:\Program\CFi\ShellToys\CFiShlMan.exe" -start
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1409082233-57989841-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\Bluetooth\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\Bluetooth\Bluetooth-programvara\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\Bluetooth\Bluetooth-programvara\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Avast\ashServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\Bluetooth\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\mwwycceu.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe --
End of file - 6696 bytes
Live The Life As You Know It
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: jabuck
Date: December 25, 2007 at 11:15:11 Pacific
|
Reply: (edit)Go to start> control panel> administrative tools> services> scroll down to "DomainService " and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok. Exit administrative tools. Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O4 - HKLM\..\RunServices: [WinxWifi32] WinxWifi.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba... Exit Hijack This. Please download ComboFix to the desktop from this link: ComboFix
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: wille
Date: December 25, 2007 at 11:59:10 Pacific
|
Reply: (edit)ComboFix 07-12-25.4 - William Lind 2007-12-25 20:36:40.1 - NTFSx86 Running from: C:\Documents and Settings\William Lind\Skrivbord\ComboFix.exe
.
[color=purple]The following files were disabled during the run:[/color]
C:\Program\NoAdware5.0\nutils.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\LocalService.NT INSTANS\Application Data\NetMon
C:\Documents and Settings\LocalService.NT INSTANS\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT INSTANS\Application Data\NetMon\log.txt
C:\Documents and Settings\William Lind\Application Data\SpyGuardPro
C:\Documents and Settings\William Lind\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\William Lind\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\William Lind\Application Data\STEM~1
C:\Program\Delade filer\{6C137~1
C:\Program\internet explorer\msimg32.dll
C:\Program\MyWebSearch
C:\Program\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program\MyWebSearch\bar\1.bin\M3HTML.oca
C:\Program\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program\MyWebSearch\bar\1.bin\M3MSG.oca
C:\Program\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]01408D8.bin
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]0140BD6.bin
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]0141878.bin
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]01419FF.bin
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]014279B.bin
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]03FFEDF
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]0400141.bin
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]0400373.bin
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]0400509.bin
C:\Program\MyWebSearch\bar\Cache\[u]0[/u]046B05F.bin
C:\Program\MyWebSearch\bar\Cache\files.ini
C:\Program\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program\MyWebSearch\bar\Game\CHESS.F3S
C:\Program\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program\MyWebSearch\bar\History\search2
C:\Program\MyWebSearch\bar\icons\CM.ICO
C:\Program\MyWebSearch\bar\icons\MFC.ICO
C:\Program\MyWebSearch\bar\icons\PSS.ICO
C:\Program\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program\MyWebSearch\bar\icons\WB.ICO
C:\Program\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program\MyWebSearch\bar\Message\COMMON.F3S
C:\Program\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program\MyWebSearch\bar\Settings\s_pid.dat
C:\Program\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\SpyGuardPro
C:\WINDOWS\adaway.lic
C:\WINDOWS\appatc~1
C:\WINDOWS\b111.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\crosof~1.net
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\sstem~1
C:\WINDOWS\stem~1
C:\WINDOWS\system32\components
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fccddax.dll
C:\WINDOWS\system32\geyymozl.dllbox
C:\WINDOWS\system32\ghwohqen.dllbox
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\ineWc01\ineWc011065.exe
C:\WINDOWS\system32\lqeejemy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mwwycceu.exe
C:\WINDOWS\system32\nnnlmlk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\racle~2
C:\WINDOWS\system32\ref1
C:\WINDOWS\system32\ref1\kolcidr311.exe
C:\WINDOWS\system32\rqhwfahd.dllbox
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wnsapiisv32.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymejeeql.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe .
((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) .
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_WINCOM32
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))
.
2007-12-25 20:53 . 2007-12-25 20:53 14,033 --a------ C:\posEE.tmp
2007-12-25 20:52 . 2007-12-25 20:53 18,996 ---hs---- C:\WINDOWS\system32\ghwohqen.dllbox
2007-12-25 20:27 . 2007-12-25 20:28 14,033 --a------ C:\pos6FAD.tmp
2007-12-25 19:27 . 2007-12-25 19:27 14,033 --a------ C:\pos6C2A.tmp
2007-12-25 19:26 . 2007-12-25 19:27 13,033 --a------ C:\pos6A50.tmp
2007-12-25 19:26 . 2007-12-25 19:26 13,033 --a------ C:\pos6A4D.tmp
2007-12-25 19:26 . 2007-12-25 19:27 10,033 --a------ C:\pos6A53.tmp
2007-12-25 19:26 . 2007-12-25 19:27 10,033 --a------ C:\pos6A4F.tmp
2007-12-25 19:26 . 2007-12-25 19:26 9,033 --a------ C:\pos6A4C.tmp
2007-12-25 19:26 . 2007-12-25 19:26 9,033 --a------ C:\pos6A49.tmp
2007-12-25 19:26 . 2007-12-25 19:27 8,033 --a------ C:\pos6A52.tmp
2007-12-25 19:26 . 2007-12-25 19:27 8,033 --a------ C:\pos6A51.tmp
2007-12-25 19:26 . 2007-12-25 19:26 7,033 --a------ C:\pos6A4B.tmp
2007-12-25 19:26 . 2007-12-25 19:26 5,033 --a------ C:\pos6A4E.tmp
2007-12-25 14:05 . 2007-12-25 14:05 <KAT> d-------- C:\Program\NeroInstall.bak
2007-12-24 23:26 . 2007-12-24 23:26 <KAT> d-------- C:\Program\CDX
2007-12-24 22:43 . 2007-12-24 22:43 <KAT> d-------- C:\Program\Microsoft DirectX SDK (April 2007)
2007-12-24 20:15 . 2007-12-24 20:23 <KAT> d-------- C:\Program\Docendo
2007-12-24 18:50 . 2007-12-25 19:36 <KAT> d-------- C:\Documents and Settings\William Lind\Application Data\U3
2007-12-23 19:03 . 2007-12-23 19:12 54 --a------ C:\WINDOWS\KA.INI
2007-12-22 22:30 . 2007-07-06 00:45 158,208 --a------ C:\WINDOWS\system32\cscompui.dll
2007-12-22 22:25 . 2007-07-06 12:09 1,554,768 --a------ C:\WINDOWS\system32\csc.exe
2007-12-22 19:09 . 2007-12-22 19:09 <KAT> d-------- C:\WINDOWS\symbols
2007-12-22 19:09 . 2007-12-22 19:09 <KAT> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PreEmptive Solutions
2007-12-22 19:05 . 2007-12-22 19:05 <KAT> d-------- C:\WCU
2007-12-22 19:05 . 2007-12-22 19:05 <KAT> d-------- C:\Program\Microsoft.NET
2007-12-22 19:05 . 2007-12-22 19:12 <KAT> d-------- C:\Program\HTML Help Workshop
2007-12-22 19:05 . 2007-12-22 19:14 <KAT> d-------- C:\Program\Delade filer\Merge Modules
2007-12-22 18:20 . 2007-12-22 18:20 45 --a------ C:\WINDOWS\AFX.INI
2007-12-22 17:18 . 2007-07-27 23:57 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-22 17:18 . 2007-07-27 23:58 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-22 17:17 . 2007-12-22 17:49 <KAT> d-------- C:\Program\Avast
2007-12-22 17:17 . 2007-07-28 00:07 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-22 17:17 . 2004-01-09 11:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-22 17:17 . 2007-07-28 00:02 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-22 17:17 . 2007-07-28 00:02 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-22 09:57 . 2007-12-25 17:39 <KAT> d-------- C:\Program\Adware Away
2007-12-21 23:19 . 2007-12-21 23:19 <KAT> dr------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMon
2007-12-21 23:15 . 2007-12-21 23:15 <KAT> d-------- C:\Program\PasswordService (DEMO)
2007-12-21 23:15 . 2007-12-21 23:15 <KAT> d-------- C:\Program\Passware
2007-12-21 23:15 . 2007-12-22 20:46 <KAT> d-------- C:\Program\Microsoft Visual Studio 9.0
2007-12-21 23:15 . 2007-12-21 23:15 <KAT> d-------- C:\Program\CFi
2007-12-21 17:56 . 2007-12-25 14:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 17:56 . 2007-12-22 10:23 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-21 16:47 . 2007-12-25 20:52 <KAT> d-------- C:\Program\NoAdware5.0
2007-12-20 11:36 . 2005-07-28 16:06 274,424 --a------ C:\WINDOWS\us2.exe
2007-12-20 11:36 . 2005-03-16 16:04 56,320 --a------ C:\WINDOWS\pkill.exe
2007-12-20 10:04 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-19 18:49 . 2007-12-19 18:49 165,472 --a------ C:\WINDOWS\system32\ghwohqen.dll
2007-12-19 18:49 . 2007-12-19 18:49 165,472 --a------ C:\WINDOWS\system32\akwogvbc.dll
2007-12-19 18:39 . 2007-12-19 18:42 14,033 --a------ C:\pos64.tmp
2007-12-19 18:39 . 2007-12-19 18:39 7,033 --a------ C:\pos67.tmp
2007-12-16 22:44 . 2007-12-21 12:47 <KAT> d-------- C:\Program\Pcsx
2007-12-16 21:26 . 2007-12-21 12:47 <KAT> d-------- C:\Program\Pcsx2_0.9.4
2007-12-16 15:22 . 2007-12-21 12:47 <KAT> d-------- C:\Program\Project64 1.6
2007-12-16 14:43 . 2007-12-16 14:43 <KAT> d-------- C:\WINDOWS\system32\twdr
2007-12-16 14:43 . 2007-12-16 14:43 <KAT> d-------- C:\WINDOWS\system32\rey2
2007-12-16 14:43 . 2007-12-16 14:43 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2007-12-10 20:04 . 2007-12-10 20:04 <KAT> d-------- C:\Program\eRightSoft
2007-12-10 20:04 . 2006-09-12 11:46 227,328 -r-hs---- C:\WINDOWS\system32\ac3DX.ax
2007-12-10 20:04 . 2006-03-10 21:48 169,472 -r-hs---- C:\WINDOWS\system32\MatroskaDX.ax
2007-12-10 20:04 . 2006-05-03 10:06 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-12-10 20:04 . 2005-11-25 20:46 161,792 -r-hs---- C:\WINDOWS\system32\RealMediaDX.ax
2007-12-10 20:04 . 2006-01-12 23:23 123,904 -r-hs---- C:\WINDOWS\system32\AVCDX.ax
2007-12-10 20:04 . 2003-11-20 23:00 54,784 -r-hs---- C:\WINDOWS\system32\RLAPEDec.ax
2007-12-10 20:04 . 2004-04-26 23:00 37,888 -r-hs---- C:\WINDOWS\system32\RLMPCDec.ax
2007-12-10 20:04 . 2007-02-21 11:47 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-12-10 20:04 . 2007-07-03 06:59 9,292 ---h----- C:\WINDOWS\super.chm
2007-12-09 14:19 . 2007-12-09 14:19 348,160 --a------ C:\WINDOWS\system32\FM20.oca
2007-12-08 16:31 . 2007-12-08 16:31 175,616 --a------ C:\WINDOWS\system32\wmp.oca
2007-12-08 16:30 . 2007-12-08 16:30 63,488 --a------ C:\WINDOWS\system32\MCI32.oca
2007-12-08 16:30 . 2007-12-08 16:30 60,928 --a------ C:\WINDOWS\system32\ieframe.oca
2007-12-08 16:29 . 2007-12-08 16:29 1,397,248 --a------ C:\WINDOWS\system32\mshtml.oca
2007-12-08 10:51 . 2007-12-08 10:53 <KAT> d--hsc--- C:\Program\Delade filer\WindowsLiveInstaller
2007-12-08 10:51 . 2007-12-18 17:58 <KAT> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2007-12-07 19:06 . 2007-12-07 19:10 83 --a------ C:\WINDOWS\FinalAlert2.ini
2007-12-04 21:20 . 2007-12-25 16:02 <KAT> d-------- C:\Program\Counter-Strike 1.6
2007-11-28 17:31 . 2007-11-28 17:31 41,152 --a------ C:\WINDOWS\system32\keygen.exe
2007-11-26 17:50 . 2003-04-18 18:06 5,120 --a------ C:\WINDOWS\system32\sleep.exe
2007-11-25 14:58 . 2007-11-28 17:30 <KAT> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 14:52 --------- d-----w C:\Program\Delade filer\Adobe
2007-12-22 19:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-12-22 12:01 --------- d-----w C:\Program\Accent EXCEL Password Recovery
2007-12-21 22:18 --------- d-----w C:\Program\MagicISO
2007-12-21 11:44 --------- d-----w C:\Documents and Settings\William Lind\Application Data\dvdcss
2007-12-15 17:37 --------- d-----w C:\Program\QuickTime
2007-12-14 14:30 --------- d-----w C:\Program\Paint.NET
2007-12-11 14:11 --------- d-----w C:\Program\ATI
2007-12-07 14:05 --------- d-----w C:\Program\Support Tools
2007-12-04 20:13 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2007-11-30 15:57 --------- d--h--w C:\Program\InstallShield Installation Information
2007-11-27 18:01 --------- d-----w C:\Documents and Settings\William Lind\Application Data\LimeWire
2007-11-26 16:55 --------- d-----w C:\Program\Intelore
2007-11-22 21:56 --------- d-----w C:\Documents and Settings\William Lind\Application Data\Intelore
2007-11-17 13:59 --------- d-----w C:\Program\Windows Journal Viewer
2007-11-11 16:45 --------- d-----w C:\Program\Java
2007-11-06 19:23 --------- d-----r C:\Program\MSN Messenger
2007-11-06 18:47 --------- d-----w C:\Program\VisualBasic6.0
2007-11-03 19:19 --------- d-----w C:\Documents and Settings\William Lind\Application Data\Command & Conquer 3 Tiberium Wars
2007-11-03 19:08 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-29 17:56 98,304 ----a-w C:\WINDOWS\system32CmdLineExt.dll
2007-10-29 17:56 --------- d--h--r C:\Documents and Settings\William Lind\Application Data\SecuROM
2007-10-29 17:41 --------- d-----w C:\Program\EA games
2007-10-05 12:19 86,016 ----a-w C:\WINDOWS\system32\Dversion.dll
2007-10-05 12:19 5,120 ----a-w C:\WINDOWS\system32\Fsinst16.DLL
2007-10-05 12:19 45,056 ----a-w C:\WINDOWS\system32\Fsinst32.dll
2007-10-05 12:19 126,976 ----a-w C:\WINDOWS\system32\DVC.dll
2007-09-27 19:07 445,440 --sh--w C:\WINDOWS\system32\msdp.dll
2007-09-20 16:56 67,424 ----a-w C:\Documents and Settings\William Lind\Application Data\GDIPFONTCACHEV1.DAT
2006-12-14 18:38 76 --sha-w C:\Program\Delade filer\Desktop.ini
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2005-05-13 16:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-07-14 11:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 14:32 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2007-06-10 12:09 907,432 --sha-w C:\WINDOWS\system32\edeeg.bak1
2007-06-11 14:58 907,525 --sha-w C:\WINDOWS\system32\edeeg.bak2
2007-06-11 15:45 800 --sha-w C:\WINDOWS\system32\edeeg.ini2
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-06-10 08:58 907,236 --sha-w C:\WINDOWS\system32\kjkkj.bak1
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-02-28 12:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EC5420F-70B9-443F-9996-F2E3DD8C55D8}]
C:\WINDOWS\system32\ddabx.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EFD22F2-1811-4D24-8FDF-45C7C40200E4}]
C:\WINDOWS\system32\geede.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-12-19 18:49 165472 --a------ C:\WINDOWS\system32\ghwohqen.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"CFi ShellToys Utility Manager"="C:\Program\CFi\ShellToys\CFiShlMan.exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\Program\Avast\ashDisp.exe" [2007-07-28 00:03] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]
"MSMSGS"="C:\Program\Messenger\msmsgs.exe" [2004-10-13 17:24] C:\Documents and Settings\All Users.WINDOWS\Start-meny\Program\Autostart\
BTTray.lnk - C:\Program\Bluetooth\Bluetooth-programvara\BTTray.exe [2005-09-19 15:02:54]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ghwohqen]
ghwohqen.dll 2007-12-19 18:49 165472 C:\WINDOWS\system32\ghwohqen.dll
.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 17:35:34 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program\RegistrySmart\RegistrySmart.exe
- C:\Program\RegistrySmart
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 20:53:24
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\WILLIA~1\LOKALA~1\Temp\mc26A25.tmp"
-- .
--------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ghwohqen.dll PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\ghwohqen.dll
.
Completion time: 2007-12-25 20:56:33 - machine was rebooted
.
2007-06-22 09:09:06 --- E O F ---
Live The Life As You Know It
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: jabuck
Date: December 25, 2007 at 14:39:26 Pacific
|
Reply: (edit)Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\posEE.tmp
C:\WINDOWS\system32\ghwohqen.dllbox
C:\pos6FAD.tmp
C:\pos6C2A.tmp
C:\pos6A50.tmp
C:\pos6A4D.tmp
C:\pos6A53.tmp
C:\pos6A4F.tmp
C:\pos6A4C.tmp
C:\pos6A49.tmp
C:\pos6A52.tmp
C:\pos6A51.tmp
C:\pos6A4B.tmp
C:\pos6A4E.tmp
C:\WINDOWS\us2.exe
C:\Windows\pkill.exe
C:\WINDOWS\system32\ghwohqen.dll
C:\WINDOWS\system32\akwogvbc.dll
C:\pos64.tmp
C:\pos67.tmp
C:\WINDOWS\system32\keygen.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\geede.dll
Driver::
ghwohqen
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EC5420F-70B9-443F-9996-F2E3DD8C55D8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EFD22F2-1811-4D24-8FDF-45C7C40200E4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ghwohqen]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link:
ATF Cleaner
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button. Post a new Hijack This log and a new Combofix log please.
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: wille
Date: December 26, 2007 at 04:22:33 Pacific
|
Reply: (edit)Hijack This Log: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:21:08, on 2007-12-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Avast\aswUpdSv.exe
C:\Program\Avast\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Bluetooth\Bluetooth-programvara\bin\btwdins.exe
C:\Program\Avast\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Bluetooth\Bluetooth-programvara\BTTray.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\BLUETO~1\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\notepad.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\William Lind\Skrivbord\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\Program\Avast\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CFi ShellToys Utility Manager] "C:\Program\CFi\ShellToys\CFiShlMan.exe" -start
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1409082233-57989841-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\Bluetooth\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\Bluetooth\Bluetooth-programvara\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\Bluetooth\Bluetooth-programvara\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...
O20 - Winlogon Notify: ghwohqen - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Avast\ashServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\Bluetooth\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe --
End of file - 6233 bytes
ComboFix Log:
ComboFix 07-12-25.4 - William Lind 2007-12-26 13:02:45.2 - NTFSx86 Running from: C:\Documents and Settings\William Lind\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\William Lind\Skrivbord\CFScript.txt FILE
C:\pos64.tmp
C:\pos67.tmp
C:\pos6A49.tmp
C:\pos6A4B.tmp
C:\pos6A4C.tmp
C:\pos6A4D.tmp
C:\pos6A4E.tmp
C:\pos6A4F.tmp
C:\pos6A50.tmp
C:\pos6A51.tmp
C:\pos6A52.tmp
C:\pos6A53.tmp
C:\pos6C2A.tmp
C:\pos6FAD.tmp
C:\posEE.tmp
C:\WINDOWS\mrofinu572.exe.tmp
C:\Windows\pkill.exe
C:\WINDOWS\system32\akwogvbc.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\ghwohqen.dll
C:\WINDOWS\system32\ghwohqen.dllbox
C:\WINDOWS\system32\keygen.exe
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\us2.exe
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\pos64.tmp
C:\pos67.tmp
C:\posEE.tmp
C:\WINDOWS\mrofinu572.exe.tmp
C:\Windows\pkill.exe
C:\WINDOWS\system32\akwogvbc.dll
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\ghwohqen.dll
C:\WINDOWS\system32\ghwohqen.dllbox
C:\WINDOWS\system32\keygen.exe
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\windows
C:\WINDOWS\us2.exe .
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
. 2007-12-26 12:55 . 2007-12-26 12:55 14,033 --a------ C:\pos1EB.tmp
2007-12-26 12:54 . 2007-12-26 12:54 14,033 --a------ C:\posFB.tmp
2007-12-26 12:53 . 2007-12-26 12:53 14,033 --a------ C:\posE.tmp
2007-12-25 23:42 . 2007-12-25 23:42 14,033 --a------ C:\pos87C.tmp
2007-12-25 21:01 . 2007-12-25 21:02 14,033 --a------ C:\pos3EA.tmp
2007-12-25 20:59 . 2007-12-26 13:08 <KAT> d-------- C:\WINDOWS\system32\config\systemprofile\Lokala inställningar
2007-12-25 20:59 . 2007-12-26 13:08 <KAT> d-------- C:\Documents and Settings\William Lind\Lokala inställningar
2007-12-25 20:59 . 2007-12-26 13:08 <KAT> d-------- C:\Documents and Settings\NetworkService\Lokala inställningar
2007-12-25 20:59 . 2007-12-26 13:08 <KAT> d-------- C:\Documents and Settings\NetworkService.NT INSTANS\Lokala inställningar
2007-12-25 20:59 . 2007-12-26 13:08 <KAT> d-------- C:\Documents and Settings\LocalService\Lokala inställningar
2007-12-25 20:59 . 2007-12-26 13:08 <KAT> d-------- C:\Documents and Settings\LocalService.NT INSTANS\Lokala inställningar
2007-12-25 20:59 . 2007-12-26 13:08 <KAT> d-------- C:\Documents and Settings\Default User\Lokala inställningar
2007-12-25 20:59 . 2007-12-26 13:08 <KAT> d-------- C:\Documents and Settings\Default User.WINDOWS\Lokala inställningar
2007-12-25 20:59 . <KAT> C:\Documents and Settings\Administrat÷r\Lokala inställningar
2007-12-25 20:59 . <KAT> C:\Documents and Settings\Administrat÷r\Lokala inställningar
2007-12-25 14:05 . 2007-12-25 14:05 <KAT> d-------- C:\Program\NeroInstall.bak
2007-12-24 23:26 . 2007-12-24 23:26 <KAT> d-------- C:\Program\CDX
2007-12-24 22:43 . 2007-12-24 22:43 <KAT> d-------- C:\Program\Microsoft DirectX SDK (April 2007)
2007-12-24 20:15 . 2007-12-24 20:23 <KAT> d-------- C:\Program\Docendo
2007-12-24 18:50 . 2007-12-25 19:36 <KAT> d-------- C:\Documents and Settings\William Lind\Application Data\U3
2007-12-23 19:03 . 2007-12-23 19:12 54 --a------ C:\WINDOWS\KA.INI
2007-12-22 22:30 . 2007-07-06 00:45 158,208 --a------ C:\WINDOWS\system32\cscompui.dll
2007-12-22 22:25 . 2007-07-06 12:09 1,554,768 --a------ C:\WINDOWS\system32\csc.exe
2007-12-22 19:09 . 2007-12-22 19:09 <KAT> d-------- C:\WINDOWS\symbols
2007-12-22 19:09 . 2007-12-22 19:09 <KAT> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PreEmptive Solutions
2007-12-22 19:05 . 2007-12-22 19:05 <KAT> d-------- C:\WCU
2007-12-22 19:05 . 2007-12-22 19:05 <KAT> d-------- C:\Program\Microsoft.NET
2007-12-22 19:05 . 2007-12-22 19:12 <KAT> d-------- C:\Program\HTML Help Workshop
2007-12-22 19:05 . 2007-12-22 19:14 <KAT> d-------- C:\Program\Delade filer\Merge Modules
2007-12-22 18:20 . 2007-12-22 18:20 45 --a------ C:\WINDOWS\AFX.INI
2007-12-22 17:18 . 2007-07-27 23:57 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-22 17:18 . 2007-07-27 23:58 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-22 17:17 . 2007-12-22 17:49 <KAT> d-------- C:\Program\Avast
2007-12-22 17:17 . 2007-07-28 00:07 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-22 17:17 . 2004-01-09 11:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-22 17:17 . 2007-07-28 00:02 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-22 17:17 . 2007-07-28 00:02 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-22 09:57 . 2007-12-25 17:39 <KAT> d-------- C:\Program\Adware Away
2007-12-21 23:19 . 2007-12-21 23:19 <KAT> dr------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMon
2007-12-21 23:15 . 2007-12-21 23:15 <KAT> d-------- C:\Program\PasswordService (DEMO)
2007-12-21 23:15 . 2007-12-21 23:15 <KAT> d-------- C:\Program\Passware
2007-12-21 23:15 . 2007-12-22 20:46 <KAT> d-------- C:\Program\Microsoft Visual Studio 9.0
2007-12-21 23:15 . 2007-12-21 23:15 <KAT> d-------- C:\Program\CFi
2007-12-21 17:56 . 2007-12-25 21:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 17:56 . 2007-12-22 10:23 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-21 16:47 . 2007-12-25 21:00 <KAT> d-------- C:\Program\NoAdware5.0
2007-12-20 10:04 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-16 22:44 . 2007-12-21 12:47 <KAT> d-------- C:\Program\Pcsx
2007-12-16 21:26 . 2007-12-21 12:47 <KAT> d-------- C:\Program\Pcsx2_0.9.4
2007-12-16 15:22 . 2007-12-21 12:47 <KAT> d-------- C:\Program\Project64 1.6
2007-12-16 14:43 . 2007-12-16 14:43 <KAT> d-------- C:\WINDOWS\system32\twdr
2007-12-16 14:43 . 2007-12-16 14:43 <KAT> d-------- C:\WINDOWS\system32\rey2
2007-12-10 20:04 . 2007-12-10 20:04 <KAT> d-------- C:\Program\eRightSoft
2007-12-10 20:04 . 2006-09-12 11:46 227,328 -r-hs---- C:\WINDOWS\system32\ac3DX.ax
2007-12-10 20:04 . 2006-03-10 21:48 169,472 -r-hs---- C:\WINDOWS\system32\MatroskaDX.ax
2007-12-10 20:04 . 2006-05-03 10:06 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-12-10 20:04 . 2005-11-25 20:46 161,792 -r-hs---- C:\WINDOWS\system32\RealMediaDX.ax
2007-12-10 20:04 . 2006-01-12 23:23 123,904 -r-hs---- C:\WINDOWS\system32\AVCDX.ax
2007-12-10 20:04 . 2003-11-20 23:00 54,784 -r-hs---- C:\WINDOWS\system32\RLAPEDec.ax
2007-12-10 20:04 . 2004-04-26 23:00 37,888 -r-hs---- C:\WINDOWS\system32\RLMPCDec.ax
2007-12-10 20:04 . 2007-02-21 11:47 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-12-10 20:04 . 2007-07-03 06:59 9,292 ---h----- C:\WINDOWS\super.chm
2007-12-09 14:19 . 2007-12-09 14:19 348,160 --a------ C:\WINDOWS\system32\FM20.oca
2007-12-08 16:31 . 2007-12-08 16:31 175,616 --a------ C:\WINDOWS\system32\wmp.oca
2007-12-08 16:30 . 2007-12-08 16:30 63,488 --a------ C:\WINDOWS\system32\MCI32.oca
2007-12-08 16:30 . 2007-12-08 16:30 60,928 --a------ C:\WINDOWS\system32\ieframe.oca
2007-12-08 16:29 . 2007-12-08 16:29 1,397,248 --a------ C:\WINDOWS\system32\mshtml.oca
2007-12-08 10:51 . 2007-12-08 10:53 <KAT> d--hsc--- C:\Program\Delade filer\WindowsLiveInstaller
2007-12-08 10:51 . 2007-12-18 17:58 <KAT> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2007-12-07 19:06 . 2007-12-07 19:10 83 --a------ C:\WINDOWS\FinalAlert2.ini
2007-12-04 21:20 . 2007-12-25 16:02 <KAT> d-------- C:\Program\Counter-Strike 1.6
2007-11-26 17:50 . 2003-04-18 18:06 5,120 --a------ C:\WINDOWS\system32\sleep.exe .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 14:52 --------- d-----w C:\Program\Delade filer\Adobe
2007-12-22 19:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-12-22 12:01 --------- d-----w C:\Program\Accent EXCEL Password Recovery
2007-12-21 22:18 --------- d-----w C:\Program\MagicISO
2007-12-21 11:44 --------- d-----w C:\Documents and Settings\William Lind\Application Data\dvdcss
2007-12-15 17:37 --------- d-----w C:\Program\QuickTime
2007-12-14 14:30 --------- d-----w C:\Program\Paint.NET
2007-12-11 14:11 --------- d-----w C:\Program\ATI
2007-12-07 14:05 --------- d-----w C:\Program\Support Tools
2007-12-04 20:13 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2007-11-30 15:57 --------- d--h--w C:\Program\InstallShield Installation Information
2007-11-28 16:30 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
2007-11-27 18:01 --------- d-----w C:\Documents and Settings\William Lind\Application Data\LimeWire
2007-11-26 16:55 --------- d-----w C:\Program\Intelore
2007-11-22 21:56 --------- d-----w C:\Documents and Settings\William Lind\Application Data\Intelore
2007-11-17 13:59 --------- d-----w C:\Program\Windows Journal Viewer
2007-11-11 16:45 --------- d-----w C:\Program\Java
2007-11-06 19:23 --------- d-----r C:\Program\MSN Messenger
2007-11-06 18:47 --------- d-----w C:\Program\VisualBasic6.0
2007-11-03 19:19 --------- d-----w C:\Documents and Settings\William Lind\Application Data\Command & Conquer 3 Tiberium Wars
2007-10-29 17:56 98,304 ----a-w C:\WINDOWS\system32CmdLineExt.dll
2007-10-29 17:56 --------- d--h--r C:\Documents and Settings\William Lind\Application Data\SecuROM
2007-10-29 17:41 --------- d-----w C:\Program\EA games
2007-09-20 16:56 67,424 ----a-w C:\Documents and Settings\William Lind\Application Data\GDIPFONTCACHEV1.DAT
2006-12-14 18:38 76 --sha-w C:\Program\Delade filer\Desktop.ini
2005-05-13 16:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-07-14 11:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 14:32 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-02-28 12:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
. ((((((((((((((((((((((((((((( snapshot@2007-12-25_20.54.57.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-26 12:09:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"CFi ShellToys Utility Manager"="C:\Program\CFi\ShellToys\CFiShlMan.exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\Program\Avast\ashDisp.exe" [2007-07-28 00:03] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]
"MSMSGS"="C:\Program\Messenger\msmsgs.exe" [2004-10-13 17:24] C:\Documents and Settings\All Users.WINDOWS\Start-meny\Program\Autostart\
BTTray.lnk - C:\Program\Bluetooth\Bluetooth-programvara\BTTray.exe [2005-09-19 15:02:54]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ghwohqen]
.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 17:35:34 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program\RegistrySmart\RegistrySmart.exe
- C:\Program\RegistrySmart
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 13:10:34
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
Completion time: 2007-12-26 13:12:46 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-25 20:56
.
2007-06-22 09:09:06 --- E O F ---
Live The Life As You Know It
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: jabuck
Date: December 26, 2007 at 20:05:28 Pacific
|
Reply: (edit)Run Hijack This again and remove these items: O20 - Winlogon Notify: ghwohqen - C:\WINDOWS\ Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\pos1EB.tmp
C:\posFB.tmp
C:\posE.tmp
C:\pos87C.tmp
C:\pos3EA.tmp
C:\WINDOWS\ghwohqen.dll Driver::
ghwohqen Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ghwohqen]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Please run the BitDefender online scan this link:
Bitdefender Online Scanner
You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply. Post a new Hijack This log and a new Combofix log please.
Report Offensive Follow Up For Removal
|
|
|
Use following form to reply to current message:
|
|
|
