|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
05-26-2008, 12:26 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2006
Location: London
Posts: 68
OS: XP
|
re: my mate's malware problem
hi, i was advised by some colleagues of yours to do the hijack this process thing and here is the thread:
http://www.techsupportforum.com/microsoft-support/windows-xp-support/252870-re-csrss-exe-file-missing-i-think.html as you know from that thread its my mate's one coz he doesn't have an account and i've been on this a few times now. i done the active scan thing but half way through (at about 300,000 files scanned) a profile thing came up and asked me to chose and i cancelled it because i assumed it was irrelevant and then it skipped straight to 100%. none the less, i still have this activescan.txt file (following it is the "main.txt" file) and attached is the "extra.txt" file as suggested in the 5 step guide: ;*********************************************************************************************************************************************************************************** ANALYSIS: 2008-05-26 17:34:07 PROTECTIONS: 1 MALWARE: 71 SUSPECTS: 0 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== Kaspersky Internet Security 7.0.0.120 No No ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.trafficmp.com/] 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.trafficmp.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7F.tmp 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@doubleclick[2].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Local Settings\Temp\Cookies\seden salih@doubleclick[2].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.doubleclick.net/] 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@atdmt[2].txt 00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@tradedoubler[4].txt 00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@tradedoubler[3].txt 00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@tradedoubler[2].txt 00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp 00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq80.tmp 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@fastclick[2].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@tribalfusion[2].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.mediaplex.com/] 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@mediaplex[2].txt 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Local Settings\Temp\Cookies\seden salih@mediaplex[1].txt 00145758 Cookie/Mysearch TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@mysearch[2].txt 00145758 Cookie/Mysearch TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Local Settings\Temp\Cookies\seden salih@mysearch[1].txt 00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp 00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@findwhat[1].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.com.com/] 00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.yadro.ru/] 00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@azjmp[1].txt 00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@toplist[1].txt 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@statcounter[2].txt 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq82.tmp 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.statcounter.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[ad.yieldmanager.com/] 00168069 Cookie/Bilbo.counted TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E.tmp 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@serving-sys[1].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@bs.serving-sys[2].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7E.tmp 00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp 00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7D.tmp 00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq84.tmp 00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.adtech.de/] 00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp 00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@adtech[1].txt 00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@stat.onestat[2].txt 00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp 00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Local Settings\Temp\Cookies\seden salih@advertising[2].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@advertising[2].txt 00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@adrevolver[4].txt 00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Local Settings\Temp\Cookies\seden salih@adrevolver[3].txt 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@ads.pointroll[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@questionmarket[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@zedo[1].txt 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.zedo.com/] 00172449 Cookie/MetriWeb TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp 00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.adrevolver.com/] 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@adrevolver[1].txt 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Application Data\Mozilla\Firefox\Profiles\2lmjj1nz.default\cookies.txt[.adrevolver.com/] 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Local Settings\Temp\Cookies\seden salih@adrevolver[2].txt 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@adrevolver[3].txt 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@adultfriendfinder[2].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@go[1].txt 00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp 00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp 00234869 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@media.fastclick[1].txt 00264418 adware/spywarequake Adware No 0 Yes No c:\windows\system32\1024\ld7355.tmp 00264418 adware/spywarequake Adware No 0 Yes No c:\windows\system32\1024\ld97e7.tmp 00264418 adware/spywarequake Adware No 0 Yes No c:\windows\system32\1024\ld29ad.tmp 00264418 adware/spywarequake Adware No 0 Yes No c:\windows\system32\1024\ld85a6.tmp 00264418 adware/spywarequake Adware No 0 Yes No c:\windows\system32\1024\ld3bdf.tmp 00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@ehg-dig.hitbox[2].txt 00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@ads.addynamix[2].txt 00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Seden Salih\Cookies\seden salih@ads.addynamix[3].txt 00505668 Application/MyWebSearch HackTools No 0 Yes No C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL 02095979 Dialer.ISB Dialers No 1 Yes No C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe 02938511 Trj/Proxy.BF Virus/Trojan No 1 Yes No C:\WINDOWS\system32\pdcocigh.dll 02938511 Trj/Proxy.BF Virus/Trojan No 1 Yes No C:\WINDOWS\system32\dqvwrjlr.dll 02938570 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\eujmxced.dll 02938578 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP215\A0873293.dll 02940808 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\sxtntuwy.dll 02940861 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\xbnmkufy.dll 02940899 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\shxqmcah.dll 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\pmluuhcp.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\irdehpns.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\xnrypnxg.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\rkkuquof.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\ixlwhqja.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\eichljug.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\ekpmgrfo.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\elvvjkux.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\mwsmwuvb.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\qeeckbke.exe 02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\WINDOWS\system32\juwuqiku.exe 02947658 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\ylqcclfh.dll 02947660 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\eukuayug.dll 02947715 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\amnvxknj.dll 02960474 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP210\A0864150.dll 02960474 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP210\A0866181.dll 02969327 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP210\A0861056.exe 02970980 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\dctnlcen.dll 02971194 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\micgeebl.dll 02972460 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\wsnllxfs.dll 02972461 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\iryvsmof.dll 02972464 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP212\A0868273.dll 02972465 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\dcbkflrm.dll 02974428 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\pnfpghrp.dll 02974549 Trj/KillAV.HY Virus/Trojan No 1 Yes No C:\WINDOWS\system32\gaaoihbf.dll 02974549 Trj/KillAV.HY Virus/Trojan No 1 Yes No C:\WINDOWS\system32\gksylbxj.dll 02974549 Trj/KillAV.HY Virus/Trojan No 1 Yes No C:\WINDOWS\system32\pekhrghm.dll 02974549 Trj/KillAV.HY Virus/Trojan No 1 Yes No C:\WINDOWS\system32\qibpaimq.dll 02984114 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\YRRBVYNY.DLL 02984118 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\hhfatqea.dll 02984118 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\xjghxnwh.dll 02984118 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\pbtnhmny.dll 02984118 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\xbdjsmma.dll 02984118 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\nqnlmxow.dll 02984118 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\pjkadfoa.dll 02990114 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP213\A0871273.dll 02990116 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\olkufxdt.dll 02990119 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP214\A0873273.dll 02990123 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\ijopyeey.dll 02990125 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\dlrwpodk.dll ;=================================================================================================================================================================================== SUSPECTS Sent Location V ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description V ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== Deckard's System Scanner v20071014.68 Run by Seden Salih on 2008-05-26 19:59:53 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 49: 2008-05-26 19:00:02 UTC - RP224 - Deckard's System Scanner Restore Point 48: 2008-05-26 18:23:01 UTC - RP223 - Software Distribution Service 3.0 47: 2008-05-26 17:58:31 UTC - RP222 - Software Distribution Service 3.0 46: 2008-05-26 13:42:44 UTC - RP221 - Removed Sonic DLA 45: 2008-05-26 13:33:45 UTC - RP220 - Removed Norton Security Center -- First Restore Point -- 1: 2008-05-04 10:44:47 UTC - RP176 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-05-26 20:02:16 Platform: Windows XP Service Pack 3 (5.01.2600) MSIE: Internet Explorer (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe C:\Program Files\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe C:\Program Files\McAfee\VirusScan\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\McAfee\MSC\mcregist.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\BitTorrent\bittorrent.exe C:\Program Files\McAfee\MSC\mcuimgr.exe C:\Program Files\Yahoo!\browser\ybrowser.exe C:\Program Files\Yahoo!\browser\ycommon.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Documents and Settings\Seden Salih\My Documents\dss.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/ F0 - system.ini: Shell=explorer.exe C:\WINDOWS\Media\csrss.exe F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\Media\csrss.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089fd14d-132b-48fc-8861-0048ae113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: McAntiPhishingBHO - {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - C:\Program Files\McAfee\MSK\mcapbho.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: {8d35c97a-b8e5-4c0b-b904-e4326b3b5cc5} - {5cc5b3b6-234e-409b-b0c4-5e8ba79c53d8} - C:\WINDOWS\system32\yrrbvyny.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7e853d72-626a-48ec-a868-ba8d5e23e045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {aceed890-bb1c-4aba-9717-6845ef9a2404} - C:\WINDOWS\system32\tuvULFWP.dll (file missing) O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O2 - BHO: Min stor proj. - {FFFFFFFF-B432-46fc-9143-B82B832B1B14} - interns32.dll (file missing) O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [c4ecf8e6] rundll32.exe "C:\WINDOWS\system32\txpxtguv.dll",b O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [BMc7dfcb7a] Rundll32.exe "C:\WINDOWS\system32\xwmynmej.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?455e2b92a0574c19b31ff436632aaa53 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?455e2b92a0574c19b31ff436632aaa53 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} () - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O20 - Winlogon Notify: geBsqQKE - C:\WINDOWS\system32\geBsqQKE.dll (file missing) O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe O23 - Service: McAfee Anti-Spam Service (msk80service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: siteadvisor service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPcservice.exe -- End of file - 11390 bytes -- File Associations ----------------------------------------------------------- .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%* .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 scdemu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu> R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3> R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol> R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta HotKey Keyboard Filter Driver> R3 qmofiltr (Quanta HotKey Mouse Filter Driver) - c:\windows\system32\drivers\qmofiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta Mouse Filter Device Driver> S1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver> S3 toshidpt (TOSHIBA Bluetooth HID port driver) - c:\windows\system32\drivers\toshidpt.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Bluetooth HID Mini Port Driver> S3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver> S3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)> S3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA> S3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA> S3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA> S3 TosRfSnd (Bluetooth Audio Device (WDM) from TOSHIBA) - c:\windows\system32\drivers\tosrfsnd.sys <Not Verified; TOSHIBA Corporation; Bluetooth Audio Driver> S3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth USB Miniport Driver(Windows2000,WindowsXP)> S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)> S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-05-26 15:18:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2008-02-29 16:40:38 276 --a------ C:\WINDOWS\Tasks\McDefragTask.job 2008-02-29 16:40:35 368 --a------ C:\WINDOWS\Tasks\McQcTask.job -- Files created between 2008-04-26 and 2008-05-26 ----------------------------- 2008-05-26 19:51:45 0 d-------- C:\WINDOWS\Prefetch 2008-05-26 19:42:33 0 d-------- C:\WINDOWS\system32\scripting 2008-05-26 19:42:33 0 d-------- C:\WINDOWS\l2schemas 2008-05-26 19:42:31 0 d-------- C:\WINDOWS\system32\en 2008-05-26 19:42:31 0 d-------- C:\WINDOWS\system32\bits 2008-05-26 19:39:20 0 d-------- C:\WINDOWS\ServicePackFiles 2008-05-26 19:35:47 0 d-------- C:\WINDOWS\network diagnostic 2008-05-26 19:29:21 0 d-------- C:\WINDOWS\EHome 2008-05-26 18:16:46 0 d-------- C:\ie-spyad_zo 2008-05-26 17:57:57 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-26 15:18:07 0 d-------- C:\Program Files\Panda Security 2008-05-26 13:53:37 245760 --a------ C:\Program Files\Uninstall Ask Toolbar.dll <Not Verified; Ask.com; Ask Toolbar for Internet Explorer> 2008-05-23 12:09:05 0 d-------- C:\Documents and Settings\LocalService\Application Data\Identities 2008-05-18 09:15:55 0 d-------- C:\Program Files\Managed DirectX (0901) 2008-05-17 14:19:24 0 d-------- C:\Documents and Settings\LocalService\Desktop 2008-05-17 14:19:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-05-17 14:19:08 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-05-17 14:17:17 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL> 2008-05-17 12:25:21 100928 --a------ C:\WINDOWS\system32\xwmynmej.dll 2008-05-16 12:34:31 102464 --a------ C:\WINDOWS\system32\yrrbvyny.dll 2008-05-16 12:31:31 90688 --a------ C:\WINDOWS\system32\txpxtguv.dll 2008-05-15 15:51:40 99904 --a------ C:\WINDOWS\system32\olkufxdt.dll 2008-05-15 13:16:11 101952 --a------ C:\WINDOWS\system32\dlrwpodk.dll 2008-05-14 15:53:04 99392 --a------ C:\WINDOWS\system32\pnfpghrp.dll 2008-05-14 15:02:05 100928 --a------ C:\WINDOWS\system32\ijopyeey.dll 2008-05-12 17:09:28 101440 --a------ C:\WINDOWS\system32\dctnlcen.dll 2008-05-12 16:54:31 100416 --a------ C:\WINDOWS\system32\micgeebl.dll 2008-05-12 16:51:28 53312 --a------ C:\WINDOWS\system32\xbdjsmma.dll 2008-05-11 16:14:40 101952 --a------ C:\WINDOWS\system32\wsnllxfs.dll 2008-05-11 16:11:45 98368 --a------ C:\WINDOWS\system32\iryvsmof.dll 2008-05-11 16:11:38 53312 --a------ C:\WINDOWS\system32\pjkadfoa.dll 2008-05-09 19:42:46 53312 --a------ C:\WINDOWS\system32\pbtnhmny.dll 2008-05-09 19:41:17 98368 --a------ C:\WINDOWS\system32\amnvxknj.dll 2008-05-08 19:49:54 90176 --a------ C:\WINDOWS\system32\eukuayug.dll 2008-05-08 19:46:54 101440 --a------ C:\WINDOWS\system32\ylqcclfh.dll 2008-05-08 19:41:02 99904 --a------ C:\WINDOWS\system32\dcbkflrm.dll 2008-05-08 19:40:54 53312 --a------ C:\WINDOWS\system32\hhfatqea.dll 2008-05-08 13:51:40 1488187 --ahs---- C:\WINDOWS\system32\ywutntxs.ini2 2008-05-08 12:04:33 0 d-------- C:\Documents and Settings\Seden Salih\Application Data\Nero 2008-05-07 19:54:54 96832 --a------ C:\WINDOWS\system32\sxtntuwy.dll 2008-05-07 19:51:55 106560 --a------ C:\WINDOWS\system32\xbnmkufy.dll 2008-05-07 19:42:53 105024 --a------ C:\WINDOWS\system32\eujmxced.dll 2008-05-07 19:39:54 53312 --a------ C:\WINDOWS\system32\xjghxnwh.dll 2008-05-06 19:54:05 108608 --a------ C:\WINDOWS\system32\shxqmcah.dll 2008-05-06 19:37:30 53312 --a------ C:\WINDOWS\system32\nqnlmxow.dll 2008-05-04 11:55:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero 2008-05-04 11:55:07 0 d-------- C:\Program Files\Common Files\Nero 2008-05-04 11:44:32 903071 --ahs---- C:\WINDOWS\system32\PWFLUvut.ini2 2008-05-04 11:40:31 2 --a------ C:\-991102903 2008-05-04 11:39:58 20917 --a------ C:\WINDOWS\system32\es.dat 2008-05-04 11:39:52 74752 --a------ C:\ryseedt.exe 2008-05-04 11:39:43 43 --a------ C:\Documents and Settings\Seden Salih\RUNME.bat 2008-05-04 11:39:41 38400 --a------ C:\Documents and Settings\Seden Salih\patch.exe 2008-05-04 11:37:23 48 --a------ C:\Documents and Settings\Seden Salih\readme.bat 2008-05-04 11  12 0 d-------- C:\Program Files\AskTBar-- Find3M Report --------------------------------------------------------------- 2008-05-26 19:55:35 0 d-------- C:\Program Files\MSN Messenger 2008-05-26 19:49:56 12 --a------ C:\WINDOWS\bthservsdp.dat 2008-05-26 19:43:02 0 d-------- C:\Program Files\Messenger 2008-05-26 19:42:30 0 d-------- C:\Program Files\Movie Maker 2008-05-26 19:38:56 0 d-------- C:\Program Files\Windows NT 2008-05-26 14:42:52 0 d-------- C:\Program Files\Sonic 2008-05-26 14:37:24 0 d-------- C:\Program Files\Real 2008-05-26 14:37:24 0 d-------- C:\Program Files\Common Files\Real 2008-05-26 14:34:01 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-05-24 10:35:25 0 d-------- C:\Documents and Settings\Seden Salih\Application Data\Adobe 2008-05-24 10:33:45 1004 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2008-05-23 12:14:51 0 d-------- C:\Program Files\SiteAdvisor 2008-05-20 17:44:51 0 d-------- C:\Program Files\McAfee 2008-05-19 19:32:02 60568 --a----c- C:\Documents and Settings\Seden Salih\Application Data\GDIPFONTCACHEV1.DAT 2008-05-04 11:55:08 0 d-------- C:\Program Files\Nero 2008-05-04 11:55:07 0 d-------- C:\Program Files\Common Files 2008-05-04 11:16:40 0 d-------- C:\Program Files\Common Files\Ahead 2008-05-03 13:25:34 0 d-------- C:\Documents and Settings\Seden Salih\Application Data\BitTorrent 2008-04-21 19:01:43 174 --a------ C:\Documents and Settings\Seden Salih\Application Data\wklnhst.dat 2008-04-21 19:01:36 0 d-------- C:\Documents and Settings\Seden Salih\Application Data\Template 2008-04-10 20:01:26 0 d-------- C:\Program Files\iTunes 2008-04-10 20:00:45 0 d-------- C:\Program Files\iPod 2008-04-10 19:55:02 0 d-------- C:\Program Files\QuickTime 2008-04-10 19:45:10 0 d-------- C:\Program Files\Apple Software Update 2008-04-10 19:42:45 0 d-------- C:\Program Files\Common Files\Apple 2008-03-30 16:49:21 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-03-30 16:39:34 0 d-------- C:\Program Files\BlueSprite -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377c180e-6f0e-4d4c-980f-f45bd3d40cf4}] 26/11/2007 10:46 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5cc5b3b6-234e-409b-b0c4-5e8ba79c53d8}] 16/05/2008 12:34 102464 --a------ C:\WINDOWS\system32\yrrbvyny.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aceed890-bb1c-4aba-9717-6845ef9a2404}] C:\WINDOWS\system32\tuvULFWP.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-B432-46fc-9143-B82B832B1B14}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 23:37] "c4ecf8e6"="C:\WINDOWS\system32\txpxtguv.dll" [16/05/2008 12:31] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [03/08/2007 23:33] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [24/07/2006 21:28] "McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [30/11/2007 05:42] "BluetoothAuthenticationAgent"="bthprops.cpl" [14/04/2008 01:12 C:\WINDOWS\system32\bthprops.cpl] "BMc7dfcb7a"="C:\WINDOWS\system32\xwmynmej.dll" [17/05/2008 12:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 12:54] "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [02/03/2007 00:11] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [23/11/2004 16:51 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="explorer.exe C:\WINDOWS\Media\csrss.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] C:\WINDOWS\System32\dimsntfy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBsqQKE] geBsqQKE.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\tuvULFWP [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533c5b84-ec70-11d2-9505-00c04f79deaf}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk backup=C:\WINDOWS\pss\Broadband Desktop Help.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-GB ee://aol/imApp [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bmc7dfcb7a] Rundll32.exe "C:\WINDOWS\system32\amnvxknj.dll",s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4ecf8e6] rundll32.exe "C:\WINDOWS\system32\eukuayug.dll",b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNA] "C:\Program Files\BitTorrent_DNA\dna.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gay_Sexy_gb] C:\Program Files\SCom\Dialers\Gay_Sexy_gb\Gay_Sexy_gb.exe /dontdial [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Program Files\Common Files\AOL\1170175293\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Documents and Settings\Seden Salih\My Documents\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernelfaultcheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell] C:\Program Files\Napster\napster.exe /systray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe] NDSTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwinlogon] C:\WINDOWS\winlogon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Audio Grabber 3.0] "C:\Program Files\BlueSprite\Super Audio Grabber 3.0\SAGrab.exe"/a [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ eapsvcs eaphost dot3svc dot3svc HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs napagent hkmsvc -- End of Deckard's System Scanner: finished at 2008-05-26 20:05:29 ------------ if there is anything else you need don't hesitate to ask ehab |
|
     
|
|
05-30-2008, 08:08 PM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Dec 2007
Location: Central Florida
Posts: 51
OS: xp
|
Re: my mate's malware problem
ehababoud,
Thanks for your patience. Our volunteers are very busy. Your log indicates that you have Malware on your system. Let's get started. Please visit this webpage familiarize yourself with downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix. Download ComboFix and place it on your Desktop. Execute Combofix as follows:
Please post the Combofix log and a new HijackThis log in your next reply. Please also say how your computer is running now. :)
__________________
shaferintl  Links to Free Tools I Use: AVG Antivirus ... Adaware ... Spybot S&D ... Zone Alarm Firewall Consider donating to help fight the malware wars: Donate Here! |
|
|
|
|
05-31-2008, 03:20 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jun 2006
Location: London
Posts: 68
OS: XP
|
Re: my mate's malware problem
quick question (Sorry if this sounds stupid but i want to make sure so i don't want to get it wrong) - as well as this new combofix you want a new hijackthis log? its perfectly fine but i'm just curious, and do i do the hijackthis log after the combofix one or does it matter?
thanks |
|
|
|
|
05-31-2008, 06:20 PM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Dec 2007
Location: Central Florida
Posts: 51
OS: xp
|
Re: my mate's malware problem
ehababoud,
Great question! Please run the instructions in the order given - Combofix followed by a fresh HJT. Thanks!!
__________________
shaferintl Links to Free Tools I Use: AVG Antivirus ... Adaware ... Spybot S&D ... Zone Alarm Firewall Consider donating to help fight the malware wars: Donate Here! |
|
|
|
|
06-09-2008, 10:33 AM
|
#5 (permalink) |
|
Registered User
Join Date: Jun 2006
Location: London
Posts: 68
OS: XP
|
Re: my mate's malware problem
sorry for the long time replying - had exams but now all is over. first log is the combofix log and the one after is hijackthis. my mate told me that the symptoms originally seen (such as the task bar and desktop icons disappearing) have not showed up and it seems to be running ok i think, but as requested here it is: MY COMBOFIX LOG ComboFix 08-06-07.3 - Seden Salih 2008-06-08 13:07:16.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.448 [GMT 1:00] Running from: C:\Documents and Settings\Seden Salih\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Seden Salih\Desktop\WinXP_EN_HOM_BF.EXE * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Seden Salih\Application Data\inst.exe . ((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 ))))))))))))))))))))))))))))))) . 2008-06-07 18:14 . 2008-06-07 18:14 <DIR> d-------- C:\Program Files\DNA 2008-06-07 17:46 . 2008-06-07 18:06 <DIR> d-------- C:\Documents and Settings\Seden Salih\Application Data\Azureus 2008-06-07 17:46 . 2008-06-07 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus 2008-06-04 17:31 . 2008-06-06 14:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-04 17:31 . 2008-06-04 17:31 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-26 19:59 . 2008-05-26 19:59 <DIR> d-------- C:\Deckard 2008-05-26 19:42 . 2008-05-26 19:42 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-05-26 19:42 . 2008-05-26 19:42 <DIR> d-------- C:\WINDOWS\system32\en 2008-05-26 19:42 . 2008-05-26 19:42 <DIR> d-------- C:\WINDOWS\system32\bits 2008-05-26 19:42 . 2008-05-26 19:42 <DIR> d-------- C:\WINDOWS\l2schemas 2008-05-26 19:39 . 2008-05-26 19:39 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-05-26 19:29 . 2008-05-26 19:29 <DIR> d-------- C:\WINDOWS\EHome 2008-05-26 19:20 . 2008-04-14 01:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll 2008-05-26 19:19 . 2008-04-14 01:11 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll 2008-05-26 18:16 . 2008-05-26 18:16 <DIR> d-------- C:\ie-spyad_zo 2008-05-26 17:57 . 2008-06-01 19:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-26 17:56 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-05-26 15:18 . 2008-05-26 15:18 <DIR> d-------- C:\Program Files\Panda Security 2008-05-24 18:53 . 2008-05-24 18:53 32 --a------ C:\WINDOWS\CD_Start.INI 2008-05-24 18:47 . 2008-05-24 18:47 268 --ah----- C:\sqmdata19.sqm 2008-05-24 18:46 . 2008-05-24 18:46 244 --ah----- C:\sqmnoopt19.sqm 2008-05-24 10:32 . 2008-05-24 10:32 268 --ah----- C:\sqmdata18.sqm 2008-05-24 10:32 . 2008-05-24 10:32 244 --ah----- C:\sqmnoopt18.sqm 2008-05-23 18:46 . 2008-05-23 18:46 244 --ah----- C:\sqmnoopt17.sqm 2008-05-23 18:46 . 2008-05-23 18:46 232 --ah----- C:\sqmdata17.sqm 2008-05-18 09:15 . 2008-05-18 09:15 <DIR> d-------- C:\Program Files\Managed DirectX (0901) 2008-05-17 16:29 . 2008-05-17 16:29 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor 2008-05-17 14:19 . 2008-05-17 14:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-05-17 14:19 . 2008-05-17 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-05-17 14:17 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll 2008-05-17 12:29 . 2008-05-17 12:29 285 --a------ C:\WINDOWS\system32\MRT.INI 2008-05-12 16:51 . 2008-05-12 16:51 53,312 --a------ C:\WINDOWS\system32\xbdjsmma.dll 2008-05-11 16:11 . 2008-05-11 16:11 53,312 --a------ C:\WINDOWS\system32\pjkadfoa.dll 2008-05-11 15:14 . 2008-05-11 15:14 294 ---hs---- C:\WINDOWS\system32\vvlllhin.ini 2008-05-09 19:42 . 2008-05-09 19:42 53,312 --a------ C:\WINDOWS\system32\pbtnhmny.dll 2008-05-09 18:02 . 2008-05-09 18:02 268 --ah----- C:\sqmdata16.sqm 2008-05-09 18:02 . 2008-05-09 18:02 244 --ah----- C:\sqmnoopt16.sqm 2008-05-08 19:40 . 2008-05-08 19:40 53,312 --a------ C:\WINDOWS\system32\hhfatqea.dll 2008-05-08 12:06 . 2008-05-08 12:06 0 --a------ C:\WINDOWS\Irremote.ini 2008-05-08 12:04 . 2008-05-08 12:04 <DIR> d-------- C:\Documents and Settings\Seden Salih\Application Data\Nero . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-08 12:04 --------- d-----w C:\Documents and Settings\Seden Salih\Application Data\DNA 2008-06-08 11:27 47,360 -c--a-w C:\Documents and Settings\Seden Salih\Application Data\pcouffin.sys 2008-06-08 11:27 --------- d-----w C:\Program Files\vso 2008-06-08 11:27 --------- d-----w C:\Documents and Settings\Seden Salih\Application Data\Vso 2008-06-07 18:38 --------- d-----w C:\Documents and Settings\Seden Salih\Application Data\BitTorrent 2008-06-03 15:05 --------- d-----w C:\Documents and Settings\Seden Salih\Application Data\SiteAdvisor 2008-06-02 14:06 --------- d-----w C:\Program Files\BitTorrent 2008-05-27 10:39 --------- d-----w C:\Program Files\AskTBar 2008-05-26 18:55 --------- d-----w C:\Program Files\MSN Messenger 2008-05-26 13:42 --------- d-----w C:\Program Files\Sonic 2008-05-26 13:37 --------- d-----w C:\Program Files\Real 2008-05-26 13:37 --------- d-----w C:\Program Files\Common Files\Real 2008-05-26 13:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-05-23 11:14 --------- d-----w C:\Program Files\SiteAdvisor 2008-05-20 16:44 --------- d-----w C:\Program Files\McAfee 2008-05-19 18:32 60,568 -c--a-w C:\Documents and Settings\Seden Salih\Application Data\GDIPFONTCACHEV1.DAT 2008-05-17 13:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-05-17 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-07 18:39 53,312 ----a-w C:\WINDOWS\system32\xjghxnwh.dll 2008-05-06 18:54 108,608 ----a-w C:\WINDOWS\system32\shxqmcah.dll 2008-05-06 18:37 53,312 ----a-w C:\WINDOWS\system32\nqnlmxow.dll 2008-05-04 10:59 --------- d-----w C:\Program Files\Common Files\Nero 2008-05-04 10:55 --------- d-----w C:\Program Files\Nero 2008-05-04 10:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero 2008-05-04 10:39 74,752 ----a-w C:\ryseedt.exe 2008-05-04 10:16 --------- d-----w C:\Program Files\Common Files\Ahead 2008-05-04 05:00 38,400 ----a-w C:\Documents and Settings\Seden Salih\patch.exe 2008-04-21 18:01 174 ----a-w C:\Documents and Settings\Seden Salih\Application Data\wklnhst.dat 2008-04-21 18:01 --------- d-----w C:\Documents and Settings\Seden Salih\Application Data\Template 2008-04-17 10:11 43 ----a-w C:\Documents and Settings\Seden Salih\RUNME.bat 2008-04-14 04:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll 2008-04-14 04:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe 2008-04-14 04:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll 2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin 2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe 2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll 2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll 2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys 2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys 2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys 2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll 2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys 2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll 2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll 2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll 2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll 2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll 2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys 2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys 2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys 2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys 2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys 2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys 2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys 2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys 2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys 2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys 2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys 2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys 2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys 2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys 2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys 2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys 2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys 2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys 2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys 2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys 2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys 2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys 2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys 2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys 2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys 2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys 2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys 2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys 2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys 2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys 2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys 2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys 2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys 2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys 2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys 2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys 2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys 2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys 2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys 2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys 2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys 2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys 2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys 2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys 2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys 2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys 2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aceed890-bb1c-4aba-9717-6845ef9a2404}] C:\WINDOWS\system32\tuvULFWP.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-06-07 18:14 289088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2006-07-24 21:28 35992] "McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 01:12 110592 C:\WINDOWS\system32\bthprops.cpl] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBsqQKE] geBsqQKE.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk backup=C:\WINDOWS\pss\Broadband Desktop Help.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] |
