Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » Brother got his pc full of cr*p again

[Fixed] Hijackthis! Logs - Brother got his pc full of cr*p again posted in the Security & Safety forums; Well, I just reinstalled everything recently so now I'd like to attempt to clean it instead. Its overflowing with malware, including a virus scanner nobody knows (bestseller) :P I followed ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
  #1  
Old 12-02-2007
Ge64's Avatar
P C H F R 0 0 l Z
  
Join Date: Oct 2005
Location: Hong Kong
Posts: 234
PC Experience: Good at least
Ge64 - See this Members User comments on their Profile page
Send a message via MSN to Ge64
Default Brother got his pc full of cr*p again
Well, I just reinstalled everything recently so now I'd like to attempt to clean it instead. Its overflowing with malware, including a virus scanner nobody knows (bestseller) :P I followed all the instructions, but AVG wouldn't make a report (yes I set it up correctly...). Also, I have 2 logs for SAS because my brother closed it after scanning the first time. CCleaner managed to delete everything, no problems. Could you take a look at it? I want to remove everything that has anything to do with- or can cause malware. Thaanks!
Attached Files
File Type: txt hijackthis.log.txt (10.9 KB, 2 views)
File Type: txt saslog1.txt (20.1 KB, 1 views)
File Type: txt saslog2.txt (3.1 KB, 0 views)


__________________
PCHF RoX ur SoX
:computer1
PC SmAsH0R
  #2  
Old 12-02-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,948
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Brother got his pc full of cr*p again
Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

=========================================
This will help to identify any malware on your system.
Please download Combofix from HERE or HERE
Save ComboFix to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #3  
Old 12-05-2007
Ge64's Avatar
P C H F R 0 0 l Z
  
Join Date: Oct 2005
Location: Hong Kong
Posts: 234
PC Experience: Good at least
Ge64 - See this Members User comments on their Profile page
Send a message via MSN to Ge64
Default Re: Brother got his pc full of cr*p again
SDFix: Version 1.116

Run by Administrator on Wed 12/05/2007 at 10:24 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\X.DAT - Deleted
C:\Z.DAT - Deleted
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk - Deleted
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk - Deleted
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\abW9\tOasF.log - Deleted
C:\WINDOWS\mrofinu1000137.exe.tmp - Deleted
C:\Program Files\Insider\UnInstall.exe - Deleted
C:\n.bat - Deleted
C:\d.exe - Deleted
C:\winlogon.exe - Deleted
C:\WINDOWS\mrofinu1000137.exe.tmp - Deleted
C:\WINDOWS\system32\cmd.com - Deleted
C:\WINDOWS\system32\netstat.com - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\ping.com - Deleted
C:\WINDOWS\system32\regedit.com - Deleted
C:\WINDOWS\system32\taskkill.com - Deleted
C:\WINDOWS\system32\tasklist.com - Deleted
C:\WINDOWS\system32\tracert.com - Deleted
C:\WINDOWS\system32\WINLOGO.EXE - Deleted

x.dat and z.dat data copied to \SDFix\Data.txt


Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Insider - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\WinAble - Removed
Folder C:\Temp\abW9 - Removed
Folder C:\Temp\1cb - Removed
Folder C:\WINDOWS\system32\rMa07yy - Removed
Folder C:\WINDOWS\system32\X4 - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 10:27:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\a347scsi\Config\jdgg40]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\d346prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,94,4a,73,82,ec,ae,35,aa,84 ,50,6e,3e,ee,da,e9,4b,53,..
"hj34z0"=hex:da,7c,58,35,2b,0d,78,4a,d3,97,fe,3f,c 0,bd,14,1e,a8,d5,7e,47,ef,..
"hj34z1"=hex:6c,7c,58,35,53,0d,78,4a,d2,97,ff,3f,c 1,bd,14,1e,a8,d5,7e,47,df,..
"hj34z2"=hex:6c,7c,58,35,53,0d,78,4a,d2,97,ff,3f,c 1,bd,14,1e,a8,d5,7e,47,df,..
"hj34z3"=hex:6c,7c,5c,35,53,0d,78,4a,d2,97,fa,b7,4 1,bd,14,1e,a9,d5,78,4c,cb,..
"hj34z4"=hex:6c,7c,58,35,53,0d,78,4a,d2,97,ff,3f,c 1,bd,14,1e,a8,d5,7e,47,df,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}]
"DisplayName"="DAEMON Tools"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\guus92_05@hotmail.com\Sha ringMetadata\cola_lover_99@hotmail.com\DFSR\Stagin g\CS{B4D3E40E-6717-E43C-C34E-ED0DD326EA95}\01\12-{B4D3E40E-6717-E43C-C34E-ED0DD326EA95}-v1-{4D128E8B-552A-4CC3-8FE3-D0463F7E7A66}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\guus92_05@hotmail.com\Sha ringMetadata\power-floh@msn.com\DFSR\Staging\CS{4AF591A0-AC21-A5A5-76DC-07B4169440E2}\01\10-{4AF591A0-AC21-A5A5-76DC-07B4169440E2}-v1-{4D128E8B-552A-4CC3-8FE3-D0463F7E7A66}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftwa re Sandra Lite"
"C:\\Program Files\\(uTorrent)\\utorrent.exe"="C:\\Program Files\\(uTorrent)\\utorrent.exe:*:Enabled:ęTorrent "
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\system32\\avprevgv.exe"="C:\\WINDOWS \\system32\\avp"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftwa re Sandra Lite"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\sdfix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 1 Dec 2007 20,810 ..SH. --- "C:\WINDOWS\system32\npdtubdv.dllbox"
Mon 19 Feb 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 17 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\573b8bee 2d25ffedabde94732ae6dbae\BIT2.tmp"
Thu 29 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a53bf224 a188f23c622431aa5c569c34\BITB.tmp"

Finished!


__________________
PCHF RoX ur SoX
:computer1
PC SmAsH0R
  #4  
Old 12-05-2007
Ge64's Avatar
P C H F R 0 0 l Z
  
Join Date: Oct 2005
Location: Hong Kong
Posts: 234
PC Experience: Good at least
Ge64 - See this Members User comments on their Profile page
Send a message via MSN to Ge64
Default Re: Brother got his pc full of cr*p again
ComboFix 07-12-04.3 - Administrator 2007-12-05 10:38:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.145 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\install.exe
C:\Program Files\outlook
C:\UGA6P
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\npdtubdv.dllbox
C:\WINDOWS\system32\o2
C:\WINDOWS\system32\o2\banedll2.exe
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\z1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR


((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-05 10:23 . 2007-12-05 10:23 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-03 12:30 . 2007-12-03 12:30 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2007-12-03 12:30 . 2007-12-05 10:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-12-03 12:28 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-03 12:27 . 2007-12-03 12:28 <DIR> d-------- C:\Program Files\Java
2007-12-03 12:26 . 2007-12-03 12:28 <DIR> d-------- C:\Program Files\LimeWire
2007-12-03 12:26 . 2007-12-03 12:26 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-01 04:35 . 2007-12-01 04:35 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-01 04:03 . 2007-12-01 04:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-01 03:53 . 2006-09-06 00:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-01 03:52 . 2007-12-02 04:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-01 03:52 . 2007-12-01 03:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-01 03:52 . 2007-12-01 03:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-01 03:37 . 2007-12-01 03:37 167 --a------ C:\Documents and Settings\Administrator\2514.bat
2007-12-01 03:04 . 2007-12-01 03:04 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-29 13:21 . 2007-12-01 03:37 776,177 ---hs---- C:\WINDOWS\system32\nglsbncj.ini
2007-11-29 03:29 . 2007-11-29 03:29 167 --a------ C:\Documents and Settings\Administrator\8931.bat
2007-11-28 13:20 . 2007-11-29 13:21 772,637 ---hs---- C:\WINDOWS\system32\quvdjhjs.ini
2007-11-27 13:15 . 2007-11-28 13:16 781,212 ---hs---- C:\WINDOWS\system32\hcoagpcm.ini
2007-11-27 13:10 . 2007-11-27 13:10 167 --a------ C:\Documents and Settings\Administrator\2326.bat
2007-11-27 13:08 . 2007-11-27 13:08 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-11-27 13:08 . 2007-11-27 13:08 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-26 14:22 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-26 13:48 . 2007-11-27 13:09 780,311 ---hs---- C:\WINDOWS\system32\dfxhjjyv.ini
2007-11-26 12:17 . 2007-11-26 12:17 167 --a------ C:\Documents and Settings\Administrator\9266.bat
2007-11-25 13:19 . 2007-12-01 03:37 36,864 --a------ C:\Documents and Settings\Administrator\winlogo.exe
2007-11-25 13:19 . 2007-11-25 13:19 167 --a------ C:\Documents and Settings\Administrator\2526.bat
2007-11-25 12:42 . 2007-12-01 13:57 99,166 --ahs---- C:\WINDOWS\system32\knnmp.ini2
2007-11-25 12:42 . 2007-12-01 13:56 99,166 --ahs---- C:\WINDOWS\system32\knnmp.ini
2007-11-25 12:37 . 2007-11-25 12:37 531 --a------ C:\WINDOWS\system32\z.dat
2007-11-25 12:37 . 2007-11-25 12:37 293 --a------ C:\WINDOWS\system32\x.dat
2007-11-25 12:37 . 2007-11-25 12:37 167 --a------ C:\WINDOWS\system32\8712.bat
2007-11-25 12:36 . 2007-12-05 10:27 <DIR> d-------- C:\Temp
2007-11-25 12:36 . 2007-11-25 12:42 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-25 10:17 . 2007-11-25 10:34 286,720 --a------ C:\WINDOWS\iun506.exe
2007-11-20 13:01 . 2006-09-17 06:49 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-11-20 12:48 . 2006-09-17 06:49 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-04 12:14 --------- d-----w C:\Program Files\Marvell
2008-01-04 12:13 --------- d-----w C:\Program Files\Mavell
2008-01-04 06:44 --------- d-----w C:\Program Files\ASUS Motherboard
2008-01-04 06:44 --------- d-----w C:\Program Files\ASUS Graphics Driver
2008-01-04 06:39 --------- d-----w C:\Program Files\Microsoft Works
2008-01-04 06:38 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-04 06:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-04 06:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2008-01-04 06:10 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2008-01-04 06:10 --------- d-----w C:\Program Files\Skype
2008-01-04 06:10 --------- d-----w C:\Program Files\KGB Archiver
2008-01-04 06:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-01-04 06:09 --------- d-----w C:\Program Files\Symantec
2008-01-04 06:09 --------- d-----w C:\Program Files\SiSoftware
2008-01-04 06:07 --------- d-----w C:\Program Files\Paint.NET
2008-01-04 06:02 --------- d-----w C:\Program Files\Nero
2008-01-04 06:02 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-04 06:01 --------- d---a-w C:\Program Files\(uTorrent)
2008-01-04 06:01 --------- d---a-w C:\Program Files\(Media Player Classic)
2008-01-04 06:01 --------- d---a-w C:\Program Files\(IE7_Standalone)
2008-01-04 06:01 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-01-04 06:00 39,488 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-01-04 06:00 --------- d---a-w C:\Program Files\Google
2008-01-04 06:00 --------- d---a-w C:\Program Files\(Gspot)
2008-01-04 06:00 --------- d---a-w C:\Program Files\(CWSRemover)
2008-01-04 06:00 --------- d---a-w C:\Program Files\(cpuz)
2008-01-04 06:00 --------- d-----w C:\Program Files\D-Tools
2008-01-04 06:00 --------- d-----w C:\Program Files\CloneDVD
2008-01-04 06:00 --------- d-----w C:\Program Files\CCleaner
2008-01-04 05:59 --------- d-----w C:\Program Files\WinAVIVideoConverter
2008-01-04 05:59 --------- d-----w C:\Program Files\SlySoft
2008-01-04 05:59 --------- d-----w C:\Program Files\Alcohol Soft
2008-01-04 05:58 --------- d-----w C:\Program Files\Lavasoft
2008-01-04 05:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-04 05:57 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-04 05:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-04 05:52 --------- d-----w C:\Program Files\7-Zip
2008-01-04 05:41 --------- d-----w C:\Program Files\WPIclose
2008-01-04 05:39 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-01-04 05:39 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-01-04 05:37 --------- d-----w C:\Program Files\eXPerience
2008-01-04 05:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-01 20:43 --------- d---a-w C:\Program Files\(HijackThis)
2007-12-01 03:45 --------- d-----w C:\Program Files\Logitech
2007-11-30 19:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-30 19:11 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-14 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-12 05:28 --------- d-----w C:\Program Files\iTunes
2007-11-12 05:27 --------- d-----w C:\Program Files\iPod
2007-10-31 06:09 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-22 20:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SlySoft
2007-10-14 08:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-10-14 08:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-12 19:58 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_C oinstaller_Critical.Wdf
2007-10-12 19:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_0 1005.Wdf
2007-10-07 04:07 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-10-07 04:04 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2007-10-07 04:03 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-10-07 04:03 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-10-07 04:03 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-10-07 04:03 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-10-07 04:03 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-10-07 04:03 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-10-07 04:03 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-10-07 04:03 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-10-07 04:03 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2007-10-07 00:25 --------- d-----w C:\Program Files\Avanquest update
2007-10-05 03:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76C79E8C-DE23-4987-8CB9-8D05579B94F8}]
C:\PROGRAM FILES\LOGITECH\HONE83122.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe" [2007-02-23 16:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-10-01 20:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 11:42 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2006-10-01 20:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-09-02 02:54 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-10-01 20:00 C:\WINDOWS\system32\rundll32.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-21 01:12]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 10:12]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 12:03]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 C:\WINDOWS\KHALMNPR.Exe]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-08-03 09:44]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-08-03 13:29]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-14 02:29]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"e4c1f26f"="C:\WINDOWS\system32\jcnbslgn.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-12-01 03:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 22:19:14]
Zapu Acceleration Engine.lnk - C:\Program Files\Zapu\Zapu\wincm.exe [2007-05-20]
Zapu.lnk - C:\Program Files\Zapu\Zapu\wDivi.exe [2007-05-20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-04 13:57:52]
Java SATARaid.lnk - C:\Program Files\Silicon Image\Java SATARaid\run.bat [2007-02-23 16:50:32]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe [2007-02-23 16:19:36]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-01-06 05:37:31]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bu s.sys
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346pr t.sys
R0 ndisrd;ndisrd;C:\WINDOWS\system32\drivers\ndisrd.s ys
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepK E.sys
R3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 01:42:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-05 02:31:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
************************************************** ************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 10:53:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
Completion time: 2007-12-05 10:55:48 - machine was rebooted
.
--- E O F ---


__________________
PCHF RoX ur SoX
:computer1
PC SmAsH0R
  #5  
Old 12-05-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,948
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Brother got his pc full of cr*p again
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: (no name) - {76C79E8C-DE23-4987-8CB9-8D05579B94F8} - C:\PROGRAM FILES\LOGITECH\HONE83122.DLL (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [e4c1f26f] rundll32.exe "C:\WINDOWS\system32\jcnbslgn.dll",b
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe

=======================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\WINDOWS\system32\nglsbncj.ini
C:\Documents and Settings\Administrator\8931.bat
C:\WINDOWS\system32\quvdjhjs.ini
C:\WINDOWS\system32\hcoagpcm.ini
C:\Documents and Settings\Administrator\2326.bat
C:\WINDOWS\system32\dfxhjjyv.ini
C:\Documents and Settings\Administrator\9266.bat
C:\Documents and Settings\Administrator\winlogo.exe
C:\Documents and Settings\Administrator\2526.bat
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\z.dat
C:\WINDOWS\system32\x.dat
C:\WINDOWS\system32\8712.bat
C:\PROGRAM FILES\LOGITECH\HONE83122.DLL
Folder::
C:\Temp
C:\Program Files\outlook
C:\Program Files\WinAble
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76C79E8C-DE23-4987-8CB9-8D05579B94F8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"e4c1f26f"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


__________________
  • An Australian Member of
  • and
My real name is Eddy

Reply
Satellite TV on your PC - over 3000 Channels! Click Here!

Bookmarks

« Hijack This! Log | too late to help!! »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Resolved] tried to install norton but drive is full????? whatis Anti-Virus 5 08-30-2007 04:03 AM
IE6, i cant open it with a full size window ! timmy toad Windows XP/2000 5 07-14-2007 10:06 PM
[Closed] infected with spy sherrif - please help archer15 [Fixed] Hijackthis! Logs 8 01-13-2007 05:45 PM
can't go full screen when watching videos online sntinman87 Windows XP/2000 7 12-06-2006 11:53 PM
CD-ROM shows as full but it's NOT. Stuartp77 The Lounge 3 08-23-2006 10:15 AM

Contact Us - PC Help Forum - Site Map - Privacy Statement - Top

All times are GMT +1. The time now is 02:27 AM.
Powered by vBulletin
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 RC7
All Graphics & Content Copyright © 2004-2008 - PC Help