Please check this HijackThis log

Status
Not open for further replies.
2

2Sher2

Posts: 20   +0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:56 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Registry Clean Expert\RCHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

--
End of file - 4092 bytes
 
I did not see anything bad, what is happening? But just to make sure run sdfix and malwarebytes . You can install malwarebytes from my signature below. Its the one in blue. Update it and run a full system scan in safe mode

download SDFix from the link below to your desktop then run it SDFix will create a folder in your C drive boot into safe mode and go to C:\SDFix and run --->RunThis.bat. Post the log it creates here. to boot into safe mode reboot computer and start tapping the F8 key until you get to a menu select safe mode. Please post a fresh hijackthis log after running the software

SDFix:
http://www.bleepingcomputer.com/files/sdfix.php
 
xxdanielxx said:
I did not see anything bad, what is happening? But just to make sure run sdfix and malwarebytes . You can install malwarebytes from my signature below. Its the one in blue. Update it and run a full system scan in safe mode

download SDFix from the link below to your desktop then run it SDFix will create a folder in your C drive boot into safe mode and go to C:\SDFix and run --->RunThis.bat. Post the log it creates here. to boot into safe mode reboot computer and start tapping the F8 key until you get to a menu select safe mode. Please post a fresh hijackthis log after running the software

SDFix:
http://www.bleepingcomputer.com/files/sdfix.php
Click to expand...

Thank you so much for helping me the problem is someone know what i do on ie firefox email.....i tried everything and iam hoping you help I ran SDFix on administrator and user i dont know if its right or useless but i'll post both:confused:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:16 AM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Registry Clean Expert\RCHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

--
End of file - 3991 bytes
 
can you provide more detail how do you know this or why you think this. Do you think it is a keylogger
 
ComboFix 08-07-11.1 - nero 2008-07-12 5:30:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.140 [GMT 3:00]
Running from: C:\Documents and Settings\nero\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-12 01:43 . 2008-07-12 04:31 <DIR> d-------- C:\SDFix
2008-07-12 01:43 . 2008-07-12 01:43 <DIR> d-------- C:\Documents and Settings\nero\Application Data\Malwarebytes
2008-07-12 01:43 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 01:42 . 2008-07-12 01:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 01:42 . 2008-07-12 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 01:42 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-11 23:34 . 2008-07-11 23:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 20:44 . 2008-06-28 20:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 20:44 . 2008-06-28 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 07:19 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-06-28 07:19 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-06-28 07:14 . 2008-06-28 07:14 <DIR> d-------- C:\Program Files\ESET
2008-06-28 06:08 . 2008-06-28 06:08 <DIR> d-------- C:\Documents and Settings\nero\Application Data\ESET
2008-06-28 06:07 . 2008-06-28 06:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-20 04:04 . 2008-06-20 04:04 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-20 04:04 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-19 02:16 . 2008-06-19 02:16 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-18 19:29 . 2008-06-18 19:29 402,784 --a------ C:\WINDOWS\system32\deploytk.dll
2008-06-15 15:44 . 2008-06-28 06:13 <DIR> d-------- C:\Program Files\VirtualNetwork

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 02:02 --------- d-----w C:\Documents and Settings\nero\Application Data\DMCache
2008-07-11 14:32 --------- d-----w C:\Program Files\Registry Clean Expert
2008-07-07 15:19 --------- d-----w C:\Documents and Settings\nero\Application Data\Winamp
2008-07-05 22:30 --------- d-----w C:\Documents and Settings\nero\Application Data\MegauploadToolbar
2008-06-27 11:53 --------- d-----w C:\Program Files\Internet Download Manager
2008-06-20 01:04 --------- d-----w C:\Program Files\Java
2008-06-12 12:49 --------- d-----w C:\Documents and Settings\nero\Application Data\IDM
2008-06-10 15:56 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-06-10 15:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-06-10 15:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-06-10 15:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 15:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-06 00:27 --------- d-----w C:\Program Files\ReflexiveArcade
2008-06-04 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-13 01:15 --------- d-----w C:\Program Files\Easy RealMedia Tools
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2007-07-11 12:58 34,488 -c--a-w C:\Documents and Settings\nero\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegClean Expert Scheduler"="C:\Program Files\Registry Clean Expert\RCHelper.exe" [2008-01-31 02:09 604920]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 18:52 1447168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-19 00:09:34 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= divxc32.dll
"vidc.DIV4"= divxc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.ap41"= apmpg4v1.dll
"vidc.divf"= divx412.dll
"vidc.mjpg"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3 (0x3)
"RasAuto"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"G:\\games\\Pacific warriors\\pacific warriors.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\kav\\kav7.0\\english\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 16:00]

*Newly Created Service* - HELPSVC
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 05:31:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-12 5:32:21
ComboFix-quarantined-files.txt 2008-07-12 02:32:19
ComboFix2.txt 2008-07-12 02:07:29

Pre-Run: 6,279,966,720 bytes free
Post-Run: 6,271,094,784 bytes free

117 --- E O F --- 2008-06-19 00:53:49
 
spybot popup with this after combofix user -specific browser toolbar value added .....allow or deny ???
 
Spybot popup with these


7/12/2008 5:02:07 AM Allowed (based on user decision) value "{0055C089-8582-441B-A0BF-17B458C2A3A8}" (new data: "") deleted in Browser Helper Object!
7/12/2008 5:17:50 AM Allowed (based on user decision) value "{13085077-6A24-43FD-A8FC-A3A99030184D}" (new data: "") deleted in User-specific browser toolbar!
7/12/2008 5:18:04 AM Denied (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
7/12/2008 5:18:10 AM Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
7/12/2008 5:18:16 AM Denied (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
7/12/2008 5:21:07 AM Denied (based on user decision) value "" (new data: ""%1" /S") changed in SCR Extension handler!
7/12/2008 5:22:12 AM Denied (based on user decision) value "" (new data: "regedit.exe "%1"") changed in REG Extension handler!
7/12/2008 5:22:20 AM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
7/12/2008 5:22:27 AM Allowed (based on user decision) value "WgaLogon" (new data: "") deleted in Winlogon Notifiers!
 
when i saved combofix to drive D and run it ..came up with different log started with this

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\nero\ravmonlog
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll


sorry for being a headache
 
Quarantined Files

2002-11-21 13:38 99576 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\MabryObj.dll.vir
2004-01-15 07:01 53299 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir
2004-05-14 11:30 61440 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\wanpacket.dll.vir
2004-05-14 11:30 81920 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
2004-05-14 13:02 225280 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2006-06-14 15:54 269 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\oeminfo.ini.vir
2007-03-31 21:58 5 --a--c--- C:\Qoobox\Quarantine\C\Documents and Settings\nero\RavMonLog.vir
2008-07-12 05:04 1160 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2008-07-12 05:04 2418 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2008-07-12 05:07 102 --a------ C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Spyware Doctor.reg.dat
2008-07-12 05:07 332 --a------ C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2008-07-12 05:07 606 --a------ C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BearFlix.reg.dat
2008-07-12 05:31 108 --a------ C:\Qoobox\Quarantine\catchme.log
 
I am going to make a request for blind dragon to check this thread as he is more advance then I. He will check as soon as he can
 
your doing great daniel. Clean up temp files then run online scan

Was teatimer disabled? you need to run combofix once with it disabled

Disable Teatimer
  • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
  • Open Spybot S&D
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot
 
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

then go to the link below to run the free online malware scan.

http://housecall65.trendmicro.com/
 
after i disabled teatimer her's the combo fix log


ComboFix 08-07-11.1 - nero 2008-07-12 18:40:04.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.151 [GMT 3:00]
Running from: G:\SU\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-12 01:43 . 2008-07-12 04:31 <DIR> d-------- C:\SDFix
2008-07-12 01:43 . 2008-07-12 01:43 <DIR> d-------- C:\Documents and Settings\nero\Application Data\Malwarebytes
2008-07-12 01:43 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 01:42 . 2008-07-12 01:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 01:42 . 2008-07-12 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 01:42 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-11 23:34 . 2008-07-11 23:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 20:44 . 2008-06-28 20:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 20:44 . 2008-06-28 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 07:19 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-06-28 07:19 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-06-28 07:14 . 2008-06-28 07:14 <DIR> d-------- C:\Program Files\ESET
2008-06-28 06:08 . 2008-06-28 06:08 <DIR> d-------- C:\Documents and Settings\nero\Application Data\ESET
2008-06-28 06:07 . 2008-06-28 06:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-20 04:04 . 2008-06-20 04:04 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-20 04:04 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-19 02:16 . 2008-06-19 02:16 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-18 19:29 . 2008-06-18 19:29 402,784 --a------ C:\WINDOWS\system32\deploytk.dll
2008-06-15 15:44 . 2008-06-28 06:13 <DIR> d-------- C:\Program Files\VirtualNetwork

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 02:02 --------- d-----w C:\Documents and Settings\nero\Application Data\DMCache
2008-07-11 14:32 --------- d-----w C:\Program Files\Registry Clean Expert
2008-07-07 15:19 --------- d-----w C:\Documents and Settings\nero\Application Data\Winamp
2008-07-05 22:30 --------- d-----w C:\Documents and Settings\nero\Application Data\MegauploadToolbar
2008-06-27 11:53 --------- d-----w C:\Program Files\Internet Download Manager
2008-06-20 01:04 --------- d-----w C:\Program Files\Java
2008-06-12 12:49 --------- d-----w C:\Documents and Settings\nero\Application Data\IDM
2008-06-10 15:56 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-06-10 15:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-06-10 15:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-06-10 15:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 15:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-06 00:27 --------- d-----w C:\Program Files\ReflexiveArcade
2008-06-04 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-13 01:15 --------- d-----w C:\Program Files\Easy RealMedia Tools
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2007-07-11 12:58 34,488 -c--a-w C:\Documents and Settings\nero\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-07-12_ 5.07.14.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-12 02:05:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-12 15:20:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegClean Expert Scheduler"="C:\Program Files\Registry Clean Expert\RCHelper.exe" [2008-01-31 02:09 604920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 18:52 1447168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-19 00:09:34 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= divxc32.dll
"vidc.DIV4"= divxc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.ap41"= apmpg4v1.dll
"vidc.divf"= divx412.dll
"vidc.mjpg"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3 (0x3)
"RasAuto"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"G:\\games\\Pacific warriors\\pacific warriors.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\kav\\kav7.0\\english\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 16:00]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 18:40:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-12 18:41:23
ComboFix-quarantined-files.txt 2008-07-12 15:41:21
ComboFix2.txt 2008-07-12 15:37:22
ComboFix3.txt 2008-07-12 02:32:22
ComboFix4.txt 2008-07-12 02:07:29

Pre-Run: 6,252,974,080 bytes free
Post-Run: 6,244,560,896 bytes free

123 --- E O F --- 2008-06-19 00:53:49
 
spybot popup with these idont know what are these changes


7/12/2008 6:34:47 PM Denied (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
7/12/2008 6:38:02 PM Denied (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
7/12/2008 6:38:09 PM Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
7/12/2008 6:38:10 PM Denied (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
7/12/2008 6:38:11 PM Denied (based on user decision) value "" (new data: ""%1" /S") changed in SCR Extension handler!
7/12/2008 6:38:12 PM Denied (based on user decision) value "" (new data: "regedit.exe "%1"") changed in REG Extension handler!
7/12/2008 6:38:13 PM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
7/12/2008 6:42:27 PM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
7/12/2008 7:03:07 PM Allowed (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
7/12/2008 7:03:25 PM Allowed (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
7/12/2008 7:10:35 PM Allowed (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
7/12/2008 7:10:39 PM Denied (based on user decision) value "" (new data: ""%1" /S") changed in SCR Extension handler!
7/12/2008 7:10:43 PM Denied (based on user decision) value "" (new data: "regedit.exe "%1"") changed in REG Extension handler!
7/12/2008 7:10:50 PM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
7/12/2008 7:11:02 PM Denied (based on user decision) value "{0055C089-8582-441B-A0BF-17B458C2A3A8}" (new data: "") added in Browser Helper Object!
 
whats wrong with this machine

7/12/2008 8:11:44 PM Real-time file system protection file C:\DOCUME~1\nero\LOCALS~1\Temp\V0SOFHa02224 Win32/PerfectKeylogger application unable to clean NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
 
Status
Not open for further replies.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni

Latest posts

Back