Thread: Ahkntfs.exe and various other problems now...
View Single Post
Old 08-02-2006, 10:39 AM   #7 (permalink)
dmperlman
Registered User
 
Join Date: Aug 2006
Posts: 14
OS: Windows 2000


Looks like that got it to complete...heres the log

Edit: also it looks like I somehow got re-infected in between my first HiJack log and our discussion now. TClock as well as the malware that puts 2 icons in your system try telling you you're infected i believe its called Troj/AdClick-BC. If you want me to post another hijack let me knwo.


Start Time= Wed 2006-08-02 12:33:28.32
Running from: C:\Documents and Settings\Administrator\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

12:34:01.37

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINNT\system32\ylwekn.exe
C:\WINNT\system32\ouoik.exe
C:\WINNT\system32\apumuta.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-02 12:18 91664 --a------ C:\WINNT\system32\ishost.exe
2006-08-02 12:18 11776 --a------ C:\WINNT\system32\ismon.exe
2006-08-01 22:44 127488 --a------ C:\WINNT\system32\eimhw.dat
2006-08-01 07:57 2 --a------ C:\WINNT\system32\wnscpcc.exe
2006-07-27 04:54 81920 --a------ C:\WINNT\system32\spoolsv.dll
2006-07-26 03:49 53 --a------ C:\WINNT\bpbpve.dat
2006-07-26 03:49 51712 --a------ C:\WINNT\system32\fswecvk.dll
2006-07-26 03:49 28672 --a------ C:\WINNT\system32\ouoik.exe
2006-07-26 03:49 23552 --a------ C:\WINNT\system32\apumuta.exe
2006-07-26 03:49 127488 --a------ C:\WINNT\system32\ylwekn.exe
2006-07-26 03:49 127488 --a------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qsjfq.exe
2006-07-26 00:54 14848 --a------ C:\WINNT\system32\BASSMOD.dll
2006-07-03 17:29 21840 --a----t- C:\WINNT\system32\SIntfNT.dll
2006-07-03 17:29 17212 --a----t- C:\WINNT\system32\SIntf32.dll
2006-07-03 17:29 12067 --a----t- C:\WINNT\system32\SIntf16.dll


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


C:\qoobox\ylwekn.exe.vir
C:\qoobox\eimhw.dat.vir
C:\qoobox\qsjfq.exe.vir
C:\qoobox\fswecvk.dll.vir
C:\qoobox\ouoik.exe.vir
C:\qoobox\apumuta.exe.vir
C:\qoobox\bpbpve.dat.vir

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINNT\system32\wnscpcc.exe
C:\WINNT\system32\ishost.exe
C:\WINNT\system32\ismon.exe
C:\WINNT\system32\BASSMOD.dll
C:\WINNT\system32\SIntf16.dll
C:\WINNT\system32\SIntf32.dll
C:\WINNT\system32\SIntfNT.dll
C:\WINNT\system32\spoolsv.dll


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\thiselt.exe
C:\Program Files\ipwins
C:\Program Files\Common Files\{907E36B0-06CC-1033-0228-020314020001}


((((((((((((((((((((((((((((((( Files Created from 2006-07-02 to 2006-08-02 ))))))))))))))))))))))))))))))))))


2006-08-02 12:20 8,772 C:\WINNT\system32\isnotify.exe
2006-08-02 12:20 68,096 C:\WINNT\system32\issearch.exe
2006-08-02 12:20 46,592 C:\WINNT\system32\ixt0.dll
2006-08-02 12:18 91,664 C:\WINNT\system32\ishost.exe
2006-08-02 12:18 11,776 C:\WINNT\system32\ismon.exe
2006-08-01 20:16 1,645,320 C:\WINNT\system32\gdiplus.dll
2006-08-01 17:03 73,728 C:\WINNT\system32\asuninst.exe
2006-08-01 17:03 11,776 C:\WINNT\system32\ZPORT4AS.dll
2006-07-26 03:57 81,920 C:\WINNT\system32\spoolsv.dll
2006-07-26 03:57 2 C:\WINNT\system32\wnscpcc.exe
2006-07-26 03:50 30,208 C:\WINNT\ss1205.exe
2006-07-26 03:49 45,056 C:\WINNT\zuckdha.exe
2006-07-26 03:49 441 C:\WINNT\wgelb.dll
2006-07-26 03:49 376,832 C:\WINNT\876057.exe
2006-07-26 03:49 28,672 C:\WINNT\system32\hvzead7v.exe
2006-07-26 03:49 24,576 C:\WINNT\system32\xd7ehbkw.exe
2006-07-26 03:49 234,248 C:\WINNT\Tagasuarus2.exe
2006-07-26 03:49 208,896 C:\WINNT\system32\v199.dll
2006-07-26 03:49 183,887 C:\WINNT\YazzleBundle-1304.exe
2006-07-26 03:49 143,360 C:\WINNT\win3208656-1870776.exe
2006-07-26 03:49 1,142,784 C:\WINNT\system32\bdpn.exe
2006-07-26 03:42 127,578 C:\WINNT\system32\tsuninst.exe
2006-07-26 00:58 18,944 C:\WINNT\system32\winmmt32.dll
2006-07-26 00:33 14,848 C:\WINNT\system32\BASSMOD.dll
2006-07-03 17:10 94,208 C:\WINNT\DIIUnin.exe
2006-07-03 16:43 43,520 C:\WINNT\system32\CmdLineExt03.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-02 12:36 ------- d-a------ C:\Program Files\Common Files
2006-08-02 12:20 ------- d-------- C:\Program Files\Safety Bar
2006-08-01 22:15 ------- d-------- C:\Program Files\Internet Explorer
2006-08-01 20:10 ------- d-------- C:\Program Files\CCleaner
2006-08-01 17:08 ------- d-------- C:\Documents and Settings\Administrator\Application Data\PPATCH~1
2006-08-01 17:06 ------- d-------- C:\Program Files\WinZip
2006-08-01 17:06 ------- d-------- C:\Program Files\WinRAR
2006-08-01 17:06 ------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-08-01 17:05 ------- d-------- C:\Program Files\iTunes
2006-08-01 17:05 ------- d-------- C:\Program Files\AIM95
2006-08-01 17:05 ------- d-------- C:\Documents and Settings\Administrator\My Documents\WNSXS~1
2006-08-01 14:28 ------- d-------- C:\Program Files\PartyPoker
2006-08-01 14:27 ------- d-------- C:\Program Files\Kazaa Lite
2006-08-01 00:35 ------- d-------- C:\Documents and Settings\Administrator\Application Data\WeatherBug
2006-07-31 18:39 ------- d-------- C:\Program Files\Diablo II
2006-07-30 13:46 ------- d-------- C:\Program Files\World of Warcraft
2006-07-29 07:51 ------- d-------- C:\Program Files\Common Files\STEM32~1
2006-07-29 07:51 ------- d-------- C:\Documents and Settings\Administrator\Application Data\CROSOF~1.NET
2006-07-28 12:11 ------- d-------- C:\Program Files\TBONAS
2006-07-27 04:54 ------- d-------- C:\WINNT\system32\YMBOLS~1
2006-07-26 09:28 ------- d-------- C:\Program Files\Common Files\fuqf
2006-07-26 01:01 ------- d-------- C:\Program Files\TClock
2006-07-26 00:33 ------- d-------- C:\Documents and Settings\Administrator\Application Data\Eltima Software
2006-07-26 00:31 ------- d-------- C:\Program Files\Eltima Software
2006-07-20 18:43 ------- d-------- C:\Program Files\mIRC
2006-07-20 17:29 ------- d-------- C:\Program Files\Soulseek
2006-07-20 17:29 ------- d-------- C:\Program Files\nokcvtr
2006-07-09 20:43 ------- d-------- C:\Documents and Settings\Administrator\Application Data\3M
2006-07-09 20:42 ------- d-------- C:\Program Files\Common Files\Download Manager
2006-06-29 15:04 ------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-06-29 14:58 ------- d-------- C:\Program Files\PopCap Games
2006-06-28 16:49 ------- d-------- C:\Program Files\Zen of Sudoku
2006-06-20 15:23 ------- d-------- C:\Documents and Settings\Administrator\Application Data\Newsbin
2006-06-20 14:23 ------- d-------- C:\Program Files\NewsBin
2006-06-20 14:20 ------- d-------- C:\Program Files\NewsLeecher
2006-06-16 09:29 ------- d-------- C:\Program Files\Mozilla Firefox
2006-06-04 22:55 ------- d--h----- C:\Program Files\InstallShield Installation Information
2006-06-04 22:55 ------- d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"SoundMan"="SOUNDMAN.EXE"
"EPSON Stylus C62 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0BIC1.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\""
"Windows Print Spooler"="NavAgent32.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"DeadAIM"="rundll32.exe \"C:\\Program Files\\AIM95\\\\DeadAIM.ocm\",ExportedCheckODLs"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"
"hjkamga"="c:\\winnt\\system32\\hjkamga.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\found.000\\dir0000.chk\\Weather.exe 1"
"OfotoNow USB Detection"="C:\\WINNT\\system32\\RunDLL32.exe C:\\PROGRA~1\\Ofoto\\OfotoNow\\OFUSBS.DLL,WatchForConnection OfotoNow"
"Wnne"="\"C:\\DOCUME~1\\ADMINI~1\\MYDOCU~1\\WNSXS~1\\regedit.exe\" -vt yazr"
"Kidnvb"="C:\\Documents and Settings\\Administrator\\Application Data\\??pPatch\\?hkntfs.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows Print Spooler"="NavAgent32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ishost.exe"="ishost.exe"
"issearch.exe"="issearch.exe"
"kernel32.dll"="C:\\WINNT\\system32\\isnotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Contents of the 'Scheduled Tasks' folder

Completion time: Wed 2006-08-02 12:39:42.50
ComboFix ver 06.08.02 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt
Last edited by dmperlman; 08-02-2006 at 10:51 AM.
dmperlman is offline