TechSpot

Please check this HijackThis log

By 2Sher2
Jul 11, 2008
  1. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:36:56 PM, on 7/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Registry Clean Expert\RCHelper.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Download Manager\IDMan.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

    --
    End of file - 4092 bytes
     
  2. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    I did not see anything bad, what is happening? But just to make sure run sdfix and malwarebytes . You can install malwarebytes from my signature below. Its the one in blue. Update it and run a full system scan in safe mode

    download SDFix from the link below to your desktop then run it SDFix will create a folder in your C drive boot into safe mode and go to C:\SDFix and run --->RunThis.bat. Post the log it creates here. to boot into safe mode reboot computer and start tapping the F8 key until you get to a menu select safe mode. Please post a fresh hijackthis log after running the software

    SDFix:
    http://www.bleepingcomputer.com/files/sdfix.php
     
  3. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    Thank you so much for helping me the problem is someone know what i do on ie firefox email.....i tried everything and iam hoping you help I ran SDFix on administrator and user i dont know if its right or useless but i'll post both:confused:
     
  4. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:02:16 AM, on 7/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Registry Clean Expert\RCHelper.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

    --
    End of file - 3991 bytes
     
  5. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    when you say someone what do you mean can you explain, more details EX someone in your house
     
  6. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    SDfix 2 :rolleyes:
     
  7. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    not in my house ...
     
  8. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    can you provide more detail how do you know this or why you think this. Do you think it is a keylogger
     
  9. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

  10. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    ComboFix 08-07-11.1 - nero 2008-07-12 5:30:53.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.140 [GMT 3:00]
    Running from: C:\Documents and Settings\nero\Desktop\ComboFix.exe
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
    .

    2008-07-12 01:43 . 2008-07-12 04:31 <DIR> d-------- C:\SDFix
    2008-07-12 01:43 . 2008-07-12 01:43 <DIR> d-------- C:\Documents and Settings\nero\Application Data\Malwarebytes
    2008-07-12 01:43 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-07-12 01:42 . 2008-07-12 01:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-12 01:42 . 2008-07-12 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-12 01:42 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-07-11 23:34 . 2008-07-11 23:34 <DIR> d-------- C:\Program Files\Trend Micro
    2008-06-28 20:44 . 2008-06-28 20:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-06-28 20:44 . 2008-06-28 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-06-28 07:19 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
    2008-06-28 07:19 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
    2008-06-28 07:14 . 2008-06-28 07:14 <DIR> d-------- C:\Program Files\ESET
    2008-06-28 06:08 . 2008-06-28 06:08 <DIR> d-------- C:\Documents and Settings\nero\Application Data\ESET
    2008-06-28 06:07 . 2008-06-28 06:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
    2008-06-20 04:04 . 2008-06-20 04:04 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-06-20 04:04 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-06-19 02:16 . 2008-06-19 02:16 <DIR> d-------- C:\Program Files\Alwil Software
    2008-06-18 19:29 . 2008-06-18 19:29 402,784 --a------ C:\WINDOWS\system32\deploytk.dll
    2008-06-15 15:44 . 2008-06-28 06:13 <DIR> d-------- C:\Program Files\VirtualNetwork

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-12 02:02 --------- d-----w C:\Documents and Settings\nero\Application Data\DMCache
    2008-07-11 14:32 --------- d-----w C:\Program Files\Registry Clean Expert
    2008-07-07 15:19 --------- d-----w C:\Documents and Settings\nero\Application Data\Winamp
    2008-07-05 22:30 --------- d-----w C:\Documents and Settings\nero\Application Data\MegauploadToolbar
    2008-06-27 11:53 --------- d-----w C:\Program Files\Internet Download Manager
    2008-06-20 01:04 --------- d-----w C:\Program Files\Java
    2008-06-12 12:49 --------- d-----w C:\Documents and Settings\nero\Application Data\IDM
    2008-06-10 15:56 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
    2008-06-10 15:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
    2008-06-10 15:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
    2008-06-10 15:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
    2008-06-10 15:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
    2008-06-06 00:27 --------- d-----w C:\Program Files\ReflexiveArcade
    2008-06-04 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    2008-05-13 01:15 --------- d-----w C:\Program Files\Easy RealMedia Tools
    2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
    2007-07-11 12:58 34,488 -c--a-w C:\Documents and Settings\nero\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RegClean Expert Scheduler"="C:\Program Files\Registry Clean Expert\RCHelper.exe" [2008-01-31 02:09 604920]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 18:52 1447168]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-19 00:09:34 113664]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoInstrumentation"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoInstrumentation"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.HFYU"= huffyuv.dll
    "vidc.DIV3"= divxc32.dll
    "vidc.DIV4"= divxc32f.dll
    "msacm.divxa32"= DivXa32.acm
    "vidc.ap41"= apmpg4v1.dll
    "vidc.divf"= divx412.dll
    "vidc.mjpg"= m3jpeg32.dll
    "vidc.dmb1"= m3jpeg32.dll
    "vidc.yv12"= yv12vfw.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "rpcapd"=3 (0x3)
    "RasAuto"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "G:\\games\\Pacific warriors\\pacific warriors.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\kav\\kav7.0\\english\\setup.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 16:00]

    *Newly Created Service* - HELPSVC
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-12 05:31:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-07-12 5:32:21
    ComboFix-quarantined-files.txt 2008-07-12 02:32:19
    ComboFix2.txt 2008-07-12 02:07:29

    Pre-Run: 6,279,966,720 bytes free
    Post-Run: 6,271,094,784 bytes free

    117 --- E O F --- 2008-06-19 00:53:49
     
  11. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    spybot popup with this after combofix user -specific browser toolbar value added .....allow or deny ???
     
  12. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    sry value deleted * not added
     
  13. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    Spybot popup with these


    7/12/2008 5:02:07 AM Allowed (based on user decision) value "{0055C089-8582-441B-A0BF-17B458C2A3A8}" (new data: "") deleted in Browser Helper Object!
    7/12/2008 5:17:50 AM Allowed (based on user decision) value "{13085077-6A24-43FD-A8FC-A3A99030184D}" (new data: "") deleted in User-specific browser toolbar!
    7/12/2008 5:18:04 AM Denied (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
    7/12/2008 5:18:10 AM Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
    7/12/2008 5:18:16 AM Denied (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
    7/12/2008 5:21:07 AM Denied (based on user decision) value "" (new data: ""%1" /S") changed in SCR Extension handler!
    7/12/2008 5:22:12 AM Denied (based on user decision) value "" (new data: "regedit.exe "%1"") changed in REG Extension handler!
    7/12/2008 5:22:20 AM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
    7/12/2008 5:22:27 AM Allowed (based on user decision) value "WgaLogon" (new data: "") deleted in Winlogon Notifiers!
     
  14. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    please disable teatimer while we get your computer fix
     
  15. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    when i saved combofix to drive D and run it ..came up with different log started with this

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\nero\ravmonlog
    C:\WINDOWS\system32\MabryObj.dll
    C:\WINDOWS\system32\oeminfo.ini
    C:\WINDOWS\system32\packet.dll
    C:\WINDOWS\system32\pthreadVC.dll
    C:\WINDOWS\system32\wanpacket.dll
    C:\WINDOWS\system32\wpcap.dll


    sorry for being a headache
     
  16. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    how many hard drive and partitions do you have
     
  17. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    Quarantined Files

    2002-11-21 13:38 99576 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\MabryObj.dll.vir
    2004-01-15 07:01 53299 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir
    2004-05-14 11:30 61440 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\wanpacket.dll.vir
    2004-05-14 11:30 81920 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
    2004-05-14 13:02 225280 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
    2006-06-14 15:54 269 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\oeminfo.ini.vir
    2007-03-31 21:58 5 --a--c--- C:\Qoobox\Quarantine\C\Documents and Settings\nero\RavMonLog.vir
    2008-07-12 05:04 1160 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
    2008-07-12 05:04 2418 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
    2008-07-12 05:07 102 --a------ C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Spyware Doctor.reg.dat
    2008-07-12 05:07 332 --a------ C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
    2008-07-12 05:07 606 --a------ C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BearFlix.reg.dat
    2008-07-12 05:31 108 --a------ C:\Qoobox\Quarantine\catchme.log
     
  18. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    1 hard 4 partitions
     
  19. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    I am going to make a request for blind dragon to check this thread as he is more advance then I. He will check as soon as he can
     
  20. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    Thank you sooooo very much
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    your doing great daniel. Clean up temp files then run online scan

    Was teatimer disabled? you need to run combofix once with it disabled

    Disable Teatimer
    • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
    • Open Spybot S&D
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot
     
  22. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    then go to the link below to run the free online malware scan.

    http://housecall65.trendmicro.com/
     
  23. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    after i disabled teatimer her's the combo fix log


    ComboFix 08-07-11.1 - nero 2008-07-12 18:40:04.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.151 [GMT 3:00]
    Running from: G:\SU\ComboFix.exe
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
    .

    2008-07-12 01:43 . 2008-07-12 04:31 <DIR> d-------- C:\SDFix
    2008-07-12 01:43 . 2008-07-12 01:43 <DIR> d-------- C:\Documents and Settings\nero\Application Data\Malwarebytes
    2008-07-12 01:43 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-07-12 01:42 . 2008-07-12 01:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-12 01:42 . 2008-07-12 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-12 01:42 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-07-11 23:34 . 2008-07-11 23:34 <DIR> d-------- C:\Program Files\Trend Micro
    2008-06-28 20:44 . 2008-06-28 20:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-06-28 20:44 . 2008-06-28 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-06-28 07:19 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
    2008-06-28 07:19 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
    2008-06-28 07:14 . 2008-06-28 07:14 <DIR> d-------- C:\Program Files\ESET
    2008-06-28 06:08 . 2008-06-28 06:08 <DIR> d-------- C:\Documents and Settings\nero\Application Data\ESET
    2008-06-28 06:07 . 2008-06-28 06:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
    2008-06-20 04:04 . 2008-06-20 04:04 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-06-20 04:04 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-06-19 02:16 . 2008-06-19 02:16 <DIR> d-------- C:\Program Files\Alwil Software
    2008-06-18 19:29 . 2008-06-18 19:29 402,784 --a------ C:\WINDOWS\system32\deploytk.dll
    2008-06-15 15:44 . 2008-06-28 06:13 <DIR> d-------- C:\Program Files\VirtualNetwork

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-12 02:02 --------- d-----w C:\Documents and Settings\nero\Application Data\DMCache
    2008-07-11 14:32 --------- d-----w C:\Program Files\Registry Clean Expert
    2008-07-07 15:19 --------- d-----w C:\Documents and Settings\nero\Application Data\Winamp
    2008-07-05 22:30 --------- d-----w C:\Documents and Settings\nero\Application Data\MegauploadToolbar
    2008-06-27 11:53 --------- d-----w C:\Program Files\Internet Download Manager
    2008-06-20 01:04 --------- d-----w C:\Program Files\Java
    2008-06-12 12:49 --------- d-----w C:\Documents and Settings\nero\Application Data\IDM
    2008-06-10 15:56 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
    2008-06-10 15:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
    2008-06-10 15:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
    2008-06-10 15:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
    2008-06-10 15:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
    2008-06-06 00:27 --------- d-----w C:\Program Files\ReflexiveArcade
    2008-06-04 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    2008-05-13 01:15 --------- d-----w C:\Program Files\Easy RealMedia Tools
    2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
    2007-07-11 12:58 34,488 -c--a-w C:\Documents and Settings\nero\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((( snapshot@2008-07-12_ 5.07.14.54 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-07-12 02:05:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-07-12 15:20:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RegClean Expert Scheduler"="C:\Program Files\Registry Clean Expert\RCHelper.exe" [2008-01-31 02:09 604920]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 18:52 1447168]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-19 00:09:34 113664]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoInstrumentation"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoInstrumentation"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.HFYU"= huffyuv.dll
    "vidc.DIV3"= divxc32.dll
    "vidc.DIV4"= divxc32f.dll
    "msacm.divxa32"= DivXa32.acm
    "vidc.ap41"= apmpg4v1.dll
    "vidc.divf"= divx412.dll
    "vidc.mjpg"= m3jpeg32.dll
    "vidc.dmb1"= m3jpeg32.dll
    "vidc.yv12"= yv12vfw.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "rpcapd"=3 (0x3)
    "RasAuto"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "G:\\games\\Pacific warriors\\pacific warriors.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\kav\\kav7.0\\english\\setup.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 16:00]

    *Newly Created Service* - CATCHME
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-12 18:40:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-07-12 18:41:23
    ComboFix-quarantined-files.txt 2008-07-12 15:41:21
    ComboFix2.txt 2008-07-12 15:37:22
    ComboFix3.txt 2008-07-12 02:32:22
    ComboFix4.txt 2008-07-12 02:07:29

    Pre-Run: 6,252,974,080 bytes free
    Post-Run: 6,244,560,896 bytes free

    123 --- E O F --- 2008-06-19 00:53:49
     
  24. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    spybot popup with these idont know what are these changes


    7/12/2008 6:34:47 PM Denied (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
    7/12/2008 6:38:02 PM Denied (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
    7/12/2008 6:38:09 PM Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
    7/12/2008 6:38:10 PM Denied (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
    7/12/2008 6:38:11 PM Denied (based on user decision) value "" (new data: ""%1" /S") changed in SCR Extension handler!
    7/12/2008 6:38:12 PM Denied (based on user decision) value "" (new data: "regedit.exe "%1"") changed in REG Extension handler!
    7/12/2008 6:38:13 PM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
    7/12/2008 6:42:27 PM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
    7/12/2008 7:03:07 PM Allowed (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
    7/12/2008 7:03:25 PM Allowed (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
    7/12/2008 7:10:35 PM Allowed (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
    7/12/2008 7:10:39 PM Denied (based on user decision) value "" (new data: ""%1" /S") changed in SCR Extension handler!
    7/12/2008 7:10:43 PM Denied (based on user decision) value "" (new data: "regedit.exe "%1"") changed in REG Extension handler!
    7/12/2008 7:10:50 PM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
    7/12/2008 7:11:02 PM Denied (based on user decision) value "{0055C089-8582-441B-A0BF-17B458C2A3A8}" (new data: "") added in Browser Helper Object!
     
  25. 2Sher2

    2Sher2 TS Rookie Topic Starter Posts: 21

    whats wrong with this machine

    7/12/2008 8:11:44 PM Real-time file system protection file C:\DOCUME~1\nero\LOCALS~1\Temp\V0SOFHa02224 Win32/PerfectKeylogger application unable to clean NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...