PC Help Forum - Free Computer Help, Windows, Hardware, Software and more!
   
 
Become a Member Today!
Search PC Help Forum for Answers
 
Go Back   PC Help Forum - Free Computer Help, Windows, Hardware, Software and more! > Security & Safety > Spyware / AdWare > [Fixed] Hijackthis! Logs
Reload this Page My Brother is Stupid
[Fixed] Hijackthis! Logs - My Brother is Stupid posted in the Spyware / AdWare forums; if someone can help with my bros HJT log i would be very thankful.... his malware issues are pretty nuts. Logfile of HijackThis v1.99.1 Scan saved at 7:...

REGISTER NOW to remove these Ads

Reply
 
LinkBack Thread Tools Display Modes Language
  #1  
Old 2 Weeks Ago
joeyfine's Avatar
Tech Support Team
My PC
 
Posts: 335
PC Experience: Support
Location: Akron, Ohio
joeyfine - See this Members User comments on their Profile page joeyfine - See this Members User comments on their Profile page
Default My Brother is Stupid
if someone can help with my bros HJT log i would be very thankful....

his malware issues are pretty nuts.


Logfile of HijackThis v1.99.1
Scan saved at 7:43:05 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4020100D-29D7-4392-AFD5-5AD713FF4B88} - C:\WINDOWS\system32\opnMcbYR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CF9AB3DF-D08C-410A-A0C2-A7EFDF4726BA} - C:\WINDOWS\system32\geBsqNGW.dll (file missing)
O2 - BHO: DVA Storm - {EFA665C4-6D72-4B8B-8286-045E879FCAE8} - C:\WINDOWS\qnmargolktr.dll
O3 - Toolbar: dpevflbg - {87F195A2-E583-4FE1-9649-3333E6FE1A61} - C:\WINDOWS\dpevflbg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [a09a5c10] rundll32.exe "C:\WINDOWS\system32\trnhsnll.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{465CE279-BB7B-49DE-AB45-CD8E169E01C1}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{A84F197A-A7D3-43FF-85FB-6277E411A95C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: opnMcbYR - C:\WINDOWS\SYSTEM32\opnMcbYR.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: vadokmxt - {3D6FAE28-9B11-4166-AF2D-92C093488F2D} - C:\WINDOWS\vadokmxt.dll
O21 - SSODL: wdpoefan - {1FC92F59-9D38-4229-A4B3-D4B8DE381711} - C:\WINDOWS\wdpoefan.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

Attached Files
File Type: log hijackthis.log (4.9 KB, 7 views)
__________________
~ Joseph
Desktop Support Analyst
MCSA, CCNA, A+ Certified.

Last edited by Pancake : 2 Weeks Ago at 06:22 AM. Reason: Attatchment removed..................
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
  #2  
Old 2 Weeks Ago
Pancake's Avatar
Senior Security Analyst
  
Posts: 1,621
PC Experience: Elite PC Guru
Location: Victoria, Australia
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: My Brother is Stupid
You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.

Please download HijackThis to your desktop..
TrendSecure | Download TrendMicro™ HijackThis™
Alternate link
http://download.bleepingcomputer.com...HJTInstall.exe
This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Upon install, HijackThis should open for you.
Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

===========================


Please download SDFix from here and save it to your desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.
=================================

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems
NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

__________________
  • An Australian Member of
  • and
My real name is Eddy
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
  #3  
Old 2 Weeks Ago
joeyfine's Avatar
Tech Support Team
My PC
 
Posts: 335
PC Experience: Support
Location: Akron, Ohio
joeyfine - See this Members User comments on their Profile page joeyfine - See this Members User comments on their Profile page
Default Re: My Brother is Stupid
here we go thanks

Attached Files
File Type: log hijackthis.log (5.0 KB, 2 views)
__________________
~ Joseph
Desktop Support Analyst
MCSA, CCNA, A+ Certified.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
  #4  
Old 2 Weeks Ago
Pancake's Avatar
Senior Security Analyst
  
Posts: 1,621
PC Experience: Elite PC Guru
Location: Victoria, Australia
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: My Brother is Stupid
And the Combofix...???

__________________
  • An Australian Member of
  • and
My real name is Eddy
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
  #5  
Old 2 Weeks Ago
joeyfine's Avatar
Tech Support Team
My PC
 
Posts: 335
PC Experience: Support
Location: Akron, Ohio
joeyfine - See this Members User comments on their Profile page joeyfine - See this Members User comments on their Profile page
Default Re: My Brother is Stupid
he he sorry here u go


ComboFix 08-04-29.3 - Administrator 2008-04-29 20:54:06.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.803 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.FINELLI-AA7755D\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\XP Antivirus
C:\WINDOWS\ampkfst.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\foxflpd.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\kdeib.exe
C:\WINDOWS\system32\krbvmvkg.ini
C:\WINDOWS\system32\llnshnrt.ini
C:\WINDOWS\system32\opnMcbYR.dll
C:\WINDOWS\system32\WGNqsBeg.ini
C:\WINDOWS\system32\WGNqsBeg.ini2
C:\WINDOWS\system32\yuqoknag.ini
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.
2008-04-29 20:57 . 2008-04-29 20:57 <DIR> d-------- C:\Documents and Settings\Administrator.FINELLI-AA7755D\WINDOWS
2008-04-29 17:26 . 2008-04-29 20:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 17:26 . 2008-04-29 20:55 <DIR> d-------- C:\SDFix
2008-04-29 17:25 . 2008-04-29 17:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 17:17 . 2008-04-29 17:17 0 --ahs---- C:\WINDOWS\S2A6B0779.tmp
2008-04-27 22:35 . 2008-04-27 22:35 110,592 --a------ C:\WINDOWS\system32\inadahcf.exe
2008-04-27 22:29 . 2008-04-27 22:29 <DIR> d-------- C:\_OTMoveIt
2008-04-27 21:59 . 2008-04-27 21:59 <DIR> d-------- C:\f2019998234629f78eb7d3
2008-04-27 21:06 . 2008-04-27 21:04 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-27 21:06 . 2008-04-27 21:06 2,558 --a------ C:\WINDOWS\unins000.dat
2008-04-27 20:57 . 2008-04-27 20:57 <DIR> d-------- C:\Documents and Settings\Administrator.FINELLI-AA7755D
2008-04-27 20:57 . 2008-04-29 20:59 16,384 --ah----- C:\Documents and Settings\Administrator.FINELLI-AA7755D\ntuser.dat.LOG
2008-04-21 14:07 . 2008-04-21 14:07 <DIR> d-------- C:\Documents and Settings\The Finellis'\Application Data\TmpRecentIcons
2008-04-19 20:35 . 2008-04-19 20:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iryxwjsr
2008-04-19 20:35 . 2008-04-19 06:39 335,872 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-19 20:35 . 2008-04-19 06:39 233,472 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-19 20:35 . 2008-04-19 06:39 184,320 --a------ C:\WINDOWS\dpevflbg.dll
2008-04-19 20:35 . 2008-04-19 06:39 106,496 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-19 20:35 . 2008-04-19 06:39 98,304 --a------ C:\WINDOWS\wxvgsdbq.exe
2008-04-01 17:46 . 2008-04-01 17:46 <DIR> d-------- C:\Documents and Settings\The Finellis'\Application Data\Move Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-28 02:30 --------- d-----w C:\Program Files\CleanUp!
2008-04-28 01:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-31 00:19 --------- d-----w C:\Program Files\Calendar Creator 7.0
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF9AB3DF-D08C-410A-A0C2-A7EFDF4726BA}]
C:\WINDOWS\system32\geBsqNGW.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 01:55 98304]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe " [2002-07-30 11:35 77824]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-08-15 21:25 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-08-15 21:25 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-15 21:25 28739]
"a09a5c10"="C:\WINDOWS\system32\trnhsnll.dll" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"GrpConv"="grpconv -o" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-15 21:25:16 24633]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\run]
"XCHK1U0qoV"= C:\Documents and Settings\All Users\Application Data\iryxwjsr\qlapgzql.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-09-18 09:13]
.
************************************************** ************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 20:59:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-29 21:00:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 01:00:25
Pre-Run: 75,122,200,576 bytes free
Post-Run: 75,050,528,768 bytes free
102 --- E O F --- 2008-04-22 11:50:39

Attached Files
File Type: txt log.txt (6.0 KB, 1 views)
__________________
~ Joseph
Desktop Support Analyst
MCSA, CCNA, A+ Certified.

Last edited by Pancake : 2 Weeks Ago at 02:29 AM. Reason: Copied and pasted for better viewing....
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
  #6  
Old 2 Weeks Ago
Pancake's Avatar
Senior Security Analyst
  
Posts: 1,621
PC Experience: Elite PC Guru
Location: Victoria, Australia
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: My Brother is Stupid
Before we can carry on with your cleanup we need to install your Recovery Console.
Go to Microsoft's website => How to obtain Windows XP Setup boot disks
Select the download that's appropriate for your Operating System


Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please copy and paste the C:\ComboFix.txt along with a new HijackThis log for further review.

Comments on this post
joeyfine agrees: thanks for the help!
__________________
  • An Australian Member of
  • and
My real name is Eddy
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
  #7  
Old 2 Weeks Ago
joeyfine's Avatar
Tech Support Team
My PC
 
Posts: 335
PC Experience: Support
Location: Akron, Ohio
joeyfine - See this Members User comments on their Profile page joeyfine - See this Members User comments on their Profile page
Default Re: My Brother is Stupid
he he he here u go


ComboFix 08-04-29.3 - Administrator 2008-04-30 20:30:29.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.811 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.FINELLI-AA7755D\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.FINELLI-AA7755D\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Web\def.htm
.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
2008-04-29 20:57 . 2008-04-29 20:57 <DIR> d-------- C:\Documents and Settings\Administrator.FINELLI-AA7755D\WINDOWS
2008-04-29 17:26 . 2008-04-29 20:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 17:26 . 2008-04-29 20:55 <DIR> d-------- C:\SDFix
2008-04-29 17:25 . 2008-04-29 17:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 17:17 . 2008-04-29 17:17 0 ---hs---- C:\WINDOWS\S2A6B0779.tmp
2008-04-27 22:35 . 2008-04-27 22:35 110,592 --a------ C:\WINDOWS\system32\inadahcf.exe
2008-04-27 22:29 . 2008-04-27 22:29 <DIR> d-------- C:\_OTMoveIt
2008-04-27 21:59 . 2008-04-27 21:59 <DIR> d-------- C:\f2019998234629f78eb7d3
2008-04-27 21:06 . 2008-04-27 21:04 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-27 21:06 . 2008-04-27 21:06 2,558 --a------ C:\WINDOWS\unins000.dat
2008-04-27 20:57 . 2008-04-27 20:57 <DIR> d-------- C:\Documents and Settings\Administrator.FINELLI-AA7755D
2008-04-27 20:57 . 2008-04-30 20:29 352,256 --ah----- C:\Documents and Settings\Administrator.FINELLI-AA7755D\ntuser.dat.LOG
2008-04-21 14:07 . 2008-04-21 14:07 <DIR> d-------- C:\Documents and Settings\The Finellis'\Application Data\TmpRecentIcons
2008-04-19 20:35 . 2008-04-19 20:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iryxwjsr
2008-04-19 20:35 . 2008-04-19 06:39 335,872 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-19 20:35 . 2008-04-19 06:39 233,472 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-19 20:35 . 2008-04-19 06:39 184,320 --a------ C:\WINDOWS\dpevflbg.dll
2008-04-19 20:35 . 2008-04-19 06:39 106,496 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-19 20:35 . 2008-04-19 06:39 98,304 --a------ C:\WINDOWS\wxvgsdbq.exe
2008-04-01 17:46 . 2008-04-01 17:46 <DIR> d-------- C:\Documents and Settings\The Finellis'\Application Data\Move Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-28 02:30 --------- d-----w C:\Program Files\CleanUp!
2008-04-28 01:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-31 00:19 --------- d-----w C:\Program Files\Calendar Creator 7.0
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-29_21.00.17.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 00:58:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 00:26:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF9AB3DF-D08C-410A-A0C2-A7EFDF4726BA}]
C:\WINDOWS\system32\geBsqNGW.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 01:55 98304]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe " [2002-07-30 11:35 77824]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-08-15 21:25 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-08-15 21:25 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-15 21:25 28739]
"a09a5c10"="C:\WINDOWS\system32\trnhsnll.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-15 21:25:16 24633]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\run]
"XCHK1U0qoV"= C:\Documents and Settings\All Users\Application Data\iryxwjsr\qlapgzql.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-09-18 09:13]
*Newly Created Service* - CATCHME
.
************************************************** ************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 20:31:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-30 20:31:42
ComboFix-quarantined-files.txt 2008-05-01 00:31:38
ComboFix2.txt 2008-04-30 01:00:28
Pre-Run: 75,048,681,472 bytes free
Post-Run: 75,023,884,288 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
106 --- E O F --- 2008-04-22 11:50:39


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:27 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CF9AB3DF-D08C-410A-A0C2-A7EFDF4726BA} - C:\WINDOWS\system32\geBsqNGW.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [a09a5c10] rundll32.exe "C:\WINDOWS\system32\trnhsnll.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [XCHK1U0qoV] C:\Documents and Settings\All Users\Application Data\iryxwjsr\qlapgzql.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{465CE279-BB7B-49DE-AB45-CD8E169E01C1}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{A84F197A-A7D3-43FF-85FB-6277E411A95C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
--
End of file - 4400 bytes

Attached Files
File Type: txt log.txt (6.4 KB, 1 views)
File Type: log hijackthis.log (4.3 KB, 1 views)
__________________
~ Joseph
Desktop Support Analyst
MCSA, CCNA, A+ Certified.

Last edited by Pancake : 2 Weeks Ago at 01:53 AM. Reason: Copied and pasted for better viewing....
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
  #8  
Old 2 Weeks Ago
Pancake's Avatar
Senior Security Analyst
  
Posts: 1,621
PC Experience: Elite PC Guru
Location: Victoria, Australia
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: My Brother is Stupid
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: (no name) - {CF9AB3DF-D08C-410A-A0C2-A7EFDF4726BA} - C:\WINDOWS\system32\geBsqNGW.dll (file missing)
O4 - HKLM\..\Run: [a09a5c10] rundll32.exe "C:\WINDOWS\system32\trnhsnll.dll",b
O4 - HKLM\..\Policies\Explorer\Run: [XCHK1U0qoV] C:\Documents and Settings\All Users\Application Data\iryxwjsr\qlapgzql.exe
Reboot.....
==================================
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Killall::
File::
C:\WINDOWS\S2A6B0779.tmp
C:\WINDOWS\system32\inadahcf.exe
C:\WINDOWS\wdpoefan.dll
C:\WINDOWS\vadokmxt.dll
C:\WINDOWS\dpevflbg.dll
C:\WINDOWS\olgdqarf.exe
C:\WINDOWS\wxvgsdbq.exe
C:\Documents and Settings\All Users\Application Data\iryxwjsr\qlapgzql.exe
Folder::
C:\f2019998234629f78eb7d3
C:\Documents and Settings\All Users\Application Data\iryxwjsr
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]