Help Needed...Win32.Trojan - Free Antivirus Forum

Help Needed...Win32.Trojan

BullGuard Antivirus Forum > Virus Removal > Removal Help > Help Needed...Win32.Trojan

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted 11-1-2009 8:47 (GMT +1)

I have tried using several anti-virus programmes. Malwarebytes' Anti-Malware, Ad-Aware, Solo Antivirus... Upon scanning with either Malwarebytes or Solo Antivirus, they can detect 2-3 viruses which belongs to that category. However, this virus sorts of come back with a different name everytime. I have used Hijack this and here is the log. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:35 AM, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\SRNMIC~1\SOLOSENT.EXE
C:\SRNMIC~1\SOLOCFG.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\winfbwjm.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoloSentry] C:\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Ê¹ÓÃÑ¸À×ÏÂÔØ - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: Ê¹ÓÃÑ¸À×ÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O9 - Extra button: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 9468 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 11-2-2009 4:41 (GMT +1)

Hello manutd83 and welcome to BG smile

Please download Combofix from:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply

The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted 11-19-2009 10:25 (GMT +1)

My exams just ended. Thanks for the reply. Below is the combofix log.

ComboFix 09-11-18.07 - user 11/19/2009 17:10.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.636 [GMT 8:00]
Running from: c:\documents and settings\user\My Documents\Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr

((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-14 06:02 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-14 06:02 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-14 06:02 . 2009-11-14 06:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-14 05:58 . 2009-11-14 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-14 05:58 . 2009-11-14 05:58 -------- d-----w- c:\program files\McAfee Security Scan
2009-11-14 05:58 . 2009-11-14 06:10 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\nos
2009-11-14 05:58 . 2009-11-14 05:58 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-14 05:57 . 2009-11-19 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-14 03:24 . 2009-11-14 03:27 -------- d-----w- c:\windows\$regcmp$
2009-11-07 16:54 . 2009-09-04 09:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-07 16:54 . 2009-09-04 09:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-11-07 16:54 . 2009-09-04 09:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-11-07 16:54 . 2009-09-04 09:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-11-07 16:54 . 2009-09-04 09:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-11-07 16:54 . 2009-09-04 09:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-11-07 16:54 . 2009-09-04 09:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-11-07 16:51 . 2009-11-07 16:54 -------- d--h--w- c:\windows\msdownld.tmp
2009-11-06 05:20 . 2009-11-06 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-06 05:19 . 2009-11-06 05:19 -------- d-----w- c:\documents and settings\user\Application Data\Sports Interactive
2009-11-06 05:14 . 2009-11-06 05:14 -------- d-----w- c:\program files\Sports Interactive
2009-11-06 05:13 . 2009-11-06 05:13 -------- d--h--w- c:\documents and settings\user\InstallAnywhere
2009-11-03 15:19 . 2009-11-14 14:37 -------- d-----w- c:\documents and settings\user\Application Data\vlc
2009-11-01 20:15 . 2009-11-03 04:38 587808 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-01 20:15 . 2009-11-03 04:38 43552 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-01 19:41 . 2009-11-18 17:42 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-01 19:39 . 2009-11-01 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-01 19:39 . 2009-11-14 04:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-01 19:39 . 2009-11-01 19:39 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-11-01 19:39 . 2009-11-01 19:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-01 19:37 . 2009-11-03 04:34 -------- d-----w- C:\HJT
2009-11-01 00:16 . 2009-11-01 00:16 166 ---ha-w- C:\aaw7boot.cmd
2009-10-28 14:40 . 2009-11-14 05:39 -------- d-----w- c:\program files\Heroes of Newerth
2009-10-28 14:35 . 2009-10-28 14:35 -------- d-----r- c:\program files\Heroes of Newerth on Mtchin
2009-10-28 14:34 . 2008-10-14 22:22 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-10-28 14:34 . 2008-10-14 22:22 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-10-28 14:34 . 2008-10-14 22:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-10-28 14:34 . 2009-10-28 14:34 -------- d-----w- c:\windows\Logs
2009-10-22 01:26 . 2009-11-03 04:21 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-10-22 01:26 . 2009-11-03 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-10-22 01:25 . 2009-10-22 01:25 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Downloaded Installations
2009-10-22 01:15 . 2009-10-24 00:01 -------- d-----w- c:\program files\Unlocker
2009-10-21 15:17 . 2009-10-21 15:17 38 ----a-w- c:\windows\SOLOSCAN.BAT
2009-10-21 15:17 . 2009-11-14 03:32 -------- d-----w- C:\SRN Micro

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted 11-19-2009 10:25 (GMT +1)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 08:50 . 2009-09-09 20:45 -------- d-----w- c:\program files\BitComet
2009-11-14 06:09 . 2009-09-09 07:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 05:18 . 2009-11-06 05:14 -------- d--h--w- c:\program files\Zero G Registry
2009-11-03 04:38 . 2009-11-01 20:15 9008 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-03 04:38 . 2009-11-01 20:15 7220 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-03 04:37 . 2009-10-13 09:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-27 19:48 . 2009-09-29 23:04 -------- d-----w- c:\program files\Warcraft3
2009-10-27 19:04 . 2009-09-29 23:28 -------- d-----w- c:\program files\Garena
2009-10-21 16:34 . 2009-09-23 00:33 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-10-05 12:49 . 2009-10-05 12:49 -------- d-----w- c:\documents and settings\user\Application Data\Leadertech
2009-10-05 12:31 . 2009-10-05 12:31 -------- d-----w- c:\program files\EA Sports
2009-10-05 00:44 . 2009-09-09 07:21 -------- d-----w- c:\program files\Common Files\Real
2009-10-05 00:44 . 2009-10-05 00:44 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-05 00:44 . 2006-07-11 10:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-05 00:43 . 2009-10-05 00:43 -------- d-----w- c:\program files\Real
2009-09-23 00:34 . 2009-09-23 00:34 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-09-23 00:34 . 2009-09-23 00:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 00:34 . 2009-09-23 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-21 07:09 . 2009-09-16 23:21 -------- d-----w- c:\documents and settings\user\Application Data\dvdcss
2009-09-10 23:28 . 2009-09-09 07:00 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-10 14:02 . 2009-09-09 07:09 75416 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 06:54 . 2009-09-23 00:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 06:53 . 2009-09-23 00:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 20:45 . 2009-09-09 20:45 1032192 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\wwgbybae.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash\components\IBitCometExtension.dll
2009-09-09 20:41 . 2009-09-09 20:41 0 ----a-w- c:\windows\nsreg.dat
2009-09-09 08:44 . 2009-09-09 08:44 315392 ----a-w- c:\windows\HideWin.exe
2009-09-09 07:26 . 2009-09-09 07:26 20 ----a-w- c:\windows\system32\pub_store.dat
2009-09-09 06:58 . 2009-09-09 06:58 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-04 09:44 . 2009-11-06 05:18 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-01_20.42.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-06 05:18 . 2006-07-28 01:30 62744 c:\windows\system32\xinput1_2.dll
+ 2009-11-06 05:18 . 2006-03-31 04:39 62672 c:\windows\system32\xinput1_1.dll
+ 2009-11-06 05:18 . 2008-10-27 02:04 70992 c:\windows\system32\XAPOFX1_2.dll
+ 2009-11-06 05:18 . 2008-07-31 02:41 68616 c:\windows\system32\XAPOFX1_1.dll
+ 2009-11-06 05:18 . 2008-05-30 06:17 65032 c:\windows\system32\XAPOFX1_0.dll
+ 2009-11-06 05:18 . 2009-03-16 06:18 22360 c:\windows\system32\X3DAudio1_6.dll
+ 2009-11-06 05:18 . 2008-10-27 02:04 23376 c:\windows\system32\X3DAudio1_5.dll
+ 2009-11-06 05:18 . 2008-05-30 06:17 25608 c:\windows\system32\X3DAudio1_4.dll
+ 2009-11-06 05:18 . 2008-03-05 08:00 25608 c:\windows\system32\X3DAudio1_3.dll
+ 2009-11-06 05:18 . 2007-10-21 19:37 17928 c:\windows\system32\X3DAudio1_2.dll
+ 2009-11-06 05:18 . 2007-03-05 04:42 15128 c:\windows\system32\x3daudio1_1.dll
+ 2009-11-06 05:18 . 2006-02-03 00:41 14032 c:\windows\system32\x3daudio1_0.dll
+ 2008-04-14 08:00 . 2008-04-14 08:00 33280 c:\windows\system32\rundll32.exe
- 2008-04-14 08:00 . 2009-11-01 20:19 40836 c:\windows\system32\perfc009.dat
+ 2008-04-14 08:00 . 2009-11-14 03:35 40836 c:\windows\system32\perfc009.dat
- 2009-09-09 07:07 . 2009-11-01 20:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-09 07:07 . 2009-11-01 20:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-09 07:07 . 2009-11-01 20:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-09 07:07 . 2009-11-01 20:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-14 06:02 . 2009-11-14 06:02 27648 c:\windows\Installer\8b01d5.msi
+ 2009-11-06 05:18 . 2009-03-16 06:18 517448 c:\windows\system32\XAudio2_4.dll
+ 2009-11-06 05:18 . 2008-10-27 02:04 514384 c:\windows\system32\XAudio2_3.dll
+ 2009-11-06 05:18 . 2008-07-31 02:40 509448 c:\windows\system32\XAudio2_2.dll
+ 2009-11-06 05:18 . 2008-05-30 06:19 507400 c:\windows\system32\XAudio2_1.dll
+ 2009-11-06 05:18 . 2008-03-05 08:03 479752 c:\windows\system32\XAudio2_0.dll
+ 2009-11-06 05:18 . 2009-03-16 06:18 235352 c:\windows\system32\xactengine3_4.dll
+ 2009-11-06 05:18 . 2008-10-27 02:04 235856 c:\windows\system32\xactengine3_3.dll
+ 2009-11-06 05:18 . 2008-07-31 02:41 238088 c:\windows\system32\xactengine3_2.dll
+ 2009-11-06 05:18 . 2008-05-30 06:18 238088 c:\windows\system32\xactengine3_1.dll
+ 2009-11-06 05:18 . 2008-03-05 08:03 238088 c:\windows\system32\xactengine3_0.dll
+ 2009-11-06 05:18 . 2007-07-19 16:57 267112 c:\windows\system32\xactengine2_9.dll
+ 2009-11-06 05:18 . 2007-06-20 12:46 266088 c:\windows\system32\xactengine2_8.dll
+ 2009-11-06 05:18 . 2007-04-04 10:55 261480 c:\windows\system32\xactengine2_7.dll
+ 2009-11-06 05:18 . 2007-01-24 07:27 255848 c:\windows\system32\xactengine2_6.dll
+ 2009-11-06 05:18 . 2006-12-08 04:02 251672 c:\windows\system32\xactengine2_5.dll
+ 2009-11-06 05:18 . 2006-09-28 08:05 237848 c:\windows\system32\xactengine2_4.dll
+ 2009-11-06 05:18 . 2006-07-28 01:30 236824 c:\windows\system32\xactengine2_3.dll
+ 2009-11-06 05:18 . 2006-05-30 23:24 230168 c:\windows\system32\xactengine2_2.dll
+ 2009-11-06 05:18 . 2007-10-21 19:39 267272 c:\windows\system32\xactengine2_10.dll
+ 2009-11-06 05:18 . 2006-03-31 04:39 229584 c:\windows\system32\xactengine2_1.dll
+ 2009-11-06 05:18 . 2006-02-03 00:42 230096 c:\windows\system32\xactengine2_0.dll
+ 2008-04-14 08:00 . 2009-11-14 03:35 314508 c:\windows\system32\perfh009.dat
- 2008-04-14 08:00 . 2009-11-01 20:19 314508 c:\windows\system32\perfh009.dat
+ 2009-11-06 05:18 . 2009-03-09 07:27 453456 c:\windows\system32\d3dx10_41.dll
+ 2009-11-06 05:18 . 2008-07-10 03:01 467984 c:\windows\system32\d3dx10_39.dll
+ 2009-11-06 05:18 . 2008-05-30 06:11 467984 c:\windows\system32\d3dx10_38.dll
+ 2009-11-06 05:18 . 2008-02-05 15:07 462864 c:\windows\system32\d3dx10_37.dll
+ 2009-11-06 05:18 . 2007-10-02 01:56 444776 c:\windows\system32\d3dx10_36.dll
+ 2009-11-06 05:18 . 2007-07-19 10:14 444776 c:\windows\system32\d3dx10_35.dll
+ 2009-11-06 05:18 . 2007-05-16 08:45 443752 c:\windows\system32\d3dx10_34.dll
+ 2009-11-06 05:18 . 2007-03-15 08:57 443752 c:\windows\system32\d3dx10_33.dll
+ 2009-11-06 05:18 . 2009-03-09 07:27 4178264 c:\windows\system32\D3DX9_41.dll
+ 2009-11-06 05:18 . 2008-07-10 03:00 3851784 c:\windows\system32\D3DX9_39.dll
+ 2009-11-06 05:18 . 2008-05-30 06:11 3850760 c:\windows\system32\D3DX9_38.dll
+ 2009-11-06 05:18 . 2007-10-12 07:14 3734536 c:\windows\system32\d3dx9_36.dll
+ 2009-11-06 05:18 . 2009-03-09 07:27 1846632 c:\windows\system32\D3DCompiler_41.dll
+ 2009-11-06 05:18 . 2008-07-10 03:00 1493528 c:\windows\system32\D3DCompiler_39.dll
+ 2009-11-06 05:18 . 2008-05-30 06:11 1491992 c:\windows\system32\D3DCompiler_38.dll
+ 2009-11-06 05:18 . 2008-03-05 07:56 1420824 c:\windows\system32\D3DCompiler_37.dll
+ 2009-11-06 05:18 . 2007-10-12 07:14 1374232 c:\windows\system32\D3DCompiler_36.dll
+ 2009-11-06 05:18 . 2007-07-19 10:14 1358192 c:\windows\system32\D3DCompiler_35.dll
+ 2009-11-06 05:18 . 2007-05-16 08:45 1124720 c:\windows\system32\D3DCompiler_34.dll
+ 2009-11-06 05:18 . 2007-03-12 08:42 1123696 c:\windows\system32\D3DCompiler_33.dll
+ 2009-11-14 06:10 . 2009-11-14 06:10 3940352 c:\windows\Installer\8b04c3.msi
.
-- Snapshot reset to current date --

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted 11-19-2009 10:26 (GMT +1)

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3953488]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4748528]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2009-11-10 2788152]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-14 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 644392]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 140848]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 125984]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 112936]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1385808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-05 267792]
"SoloSentry"="c:\srnmic~1\SOLOSENT.EXE" [2009-10-15 151552]
"SoloSchedule"="c:\srnmic~1\SOLOCFG.EXE" [2009-10-15 372736]
"SoloSysCheck"="c:\srnmic~1\SYSCHECK.COM" [2009-10-16 307200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 89600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 1009016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-11 16844800]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-08-03 1900544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 157088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\calc.exe"=
"c:\\PROGRA~1\\INSTAL~1\\{3B6E3~1\\setup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\FastStone Image Viewer\\FSViewer.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OSA.EXE"=
"c:\\Program Files\\Megaupload\\Mega Manager\\MegaManager.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\CyberLink\\Shared Files\\RichVideo.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\Program Files\\Warcraft3\\war3.exe"=
"c:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\SRN Micro\\SOLOCFG.EXE"=
"c:\\SRN Micro\\SOLOSCAN.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"=
"c:\\WINDOWS\\SkyTel.EXE"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\SRNMIC~1\\SYSCHECK.COM"=
"c:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14829:TCP"= 14829:TCP:BitComet 14829 TCP
"14829:UDP"= 14829:UDP:BitComet 14829 UDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S2 NeroRegInCDSrv;Nero Registry InCD Service; [x]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\user\LOCALS~1\Temp\RQBC.tmp --> c:\docume~1\user\LOCALS~1\Temp\RQBC.tmp [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASC3360PR
*NewlyCreated* - SASDIFSV
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\wwgbybae.default\
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\wwgbybae.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 17:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\user\LOCALS~1\Temp\RQBC.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1120)
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-11-19 17:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 09:21
ComboFix2.txt 2009-11-01 20:49

Pre-Run: 36,016,295,936 bytes free
Post-Run: 36,391,473,152 bytes free

- - End Of File - - 10FAC78230BAA58A907FE941CDC36DC9

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted 11-19-2009 10:27 (GMT +1)

This is the latest hijackthis log file. Thanks in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:30 PM, on 11/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\SRNMIC~1\SOLOSENT.EXE
C:\SRNMIC~1\SOLOCFG.EXE
C:\SRNMIC~1\SYSCHECK.COM
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winobihsi.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoloSentry] C:\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7723 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted Yesterday 5:55 (GMT +1)

Looking good. Please tell how things are running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted Yesterday 2:04 (GMT +1)

There's always a random process runing on my computer. Everytime I terminate using it using the take manager, another random.exe file will spawn. Whenever I scan using any anti-virus program, they will detect multiple viruses. I posted a screen shot of the running processes as attached

Image Attachment :

untitled.bmp 769KB (image/bmp)

This image has been viewed 3 time(s).

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted Yesterday 2:31 (GMT +1)

C:\DOCUME~1\user\LOCALS~1\Temp\winobihsi.exe. This was from the last Hijack this report i posted... rather dodgy.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted Today 3:52 (GMT +1)

My bad, sorry.

Go: http://bamajim.com

and download File Lister

Save it to your Desktop

Rightlick ->> Extract all ->> And extract it to your Desktop

Open the File Lister Folder.

Note: Leave the FileLister.vbe file in the folder and run it from there.

Rightclick FileLister.vbe ->>Select Open Then Open to confirm.

When the program is fnished it will produce a log for you C:\Files.txt

Copy and paste the contents of that log in your reply.

The log will be reasonably large so you may have to divide it into sections and make several posts to post it.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted Today 4:24 (GMT +1)

+++++++++++++++++++++++++++++++++
+ File Lister Version 1.1.1 +
+ +
+ By bamajim / SpywareHammer.com +
+++++++++++++++++++++++++++++++++

Report ran on --->>> 11/21/2009 11:22:41 AM

====== Running Processes ======

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\winjjkdd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\TEMP\windvuxli.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe

====== BHO's ======

BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

BHO: (NO NAME) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll

BHO: (NO NAME) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

BHO: (NO NAME) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

====== HKLM\~\Run Keys ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[NeroFilterCheck] = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[RemoteControl] = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[LanguageShortcut] = "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
[RTHDCPL] = RTHDCPL.EXE
[SkyTel] = SkyTel.EXE
[GrooveMonitor] = "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
[Malwarebytes Anti-Malware (reboot)] = "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
[TkBellExe] = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[SoloSentry] = C:\SRNMIC~1\SOLOSENT.EXE
[SoloSchedule] = C:\SRNMIC~1\SOLOCFG.EXE
[SoloSysCheck] = C:\SRNMIC~1\SYSCHECK.COM
[NvCplDaemon] = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[UnlockerAssistant] = "C:\Program Files\Unlocker\UnlockerAssistant.exe"
[Adobe Reader Speed Launcher] = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
[Adobe ARM] = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

====== HKCU\~\Run Keys ======

[MsnMsgr] = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
[Yahoo! Pager] = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[BitComet] = "C:\Program Files\BitComet\BitComet.exe" /tray
[SUPERAntiSpyware] = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

====== DNS Info (List may be empty) ======

HKEY_LOCAL_MACHINE\CCS\~\{0EDD1478-7E86-4C33-B7CD-2C9A2748A7F8}\ NameServer=

HKEY_LOCAL_MACHINE\CS001\~\{0EDD1478-7E86-4C33-B7CD-2C9A2748A7F8}\ NameServer=

HKEY_LOCAL_MACHINE\CS002\~\{0EDD1478-7E86-4C33-B7CD-2C9A2748A7F8}\ NameServer=

====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

11/14/2009 2:08:14 PM 0 C:\Config.Msi
11/2/2009 3:37:36 AM 1367916 C:\HJT
11/3/2009 12:25:37 PM 74 C:\HJT\backups
11/2/2009 4:31:00 AM 1672908 C:\Qoobox
11/19/2009 5:07:58 PM 10734 C:\Qoobox\BackEnv
11/2/2009 4:31:00 AM 654615 C:\Qoobox\Quarantine
11/2/2009 4:34:58 AM 313856 C:\Qoobox\Quarantine\C
11/2/2009 4:39:55 AM 170496 C:\Qoobox\Quarantine\C\Documents and Settings
11/2/2009 4:39:55 AM 170496 C:\Qoobox\Quarantine\C\Documents and Settings\user
11/2/2009 4:39:55 AM 170496 C:\Qoobox\Quarantine\C\Documents and Settings\user\Application Data
11/2/2009 4:39:55 AM 170496 C:\Qoobox\Quarantine\C\Documents and Settings\user\Application Data\Desktopicon
11/2/2009 4:39:55 AM 143360 C:\Qoobox\Quarantine\C\WINDOWS
11/2/2009 4:42:50 AM 331776 C:\Qoobox\Quarantine\D
11/2/2009 4:31:00 AM 8779 C:\Qoobox\Quarantine\Registry_backups
10/21/2009 11:17:28 PM 10574890 C:\SRN Micro
10/21/2009 11:17:28 PM 530178 C:\SRN Micro\temp
11/1/2009 8:16:40 AM 166 34 C:\aaw7boot.cmd
10/15/2009 3:17:19 PM 1788 32 C:\aaw7boot.log
11/19/2009 5:21:16 PM 23078 32 C:\ComboFix.txt
11/21/2009 11:22:41 AM 0 32 C:\Files.txt
11/14/2009 11:24:50 AM 38351691 C:\WINDOWS\$regcmp$
11/2/2009 4:33:33 AM 91737214 C:\WINDOWS\ERDNT
11/2/2009 4:45:00 AM 20178320 C:\WINDOWS\ERDNT\cache
11/2/2009 4:33:33 AM 35774784 C:\WINDOWS\ERDNT\Hiv-backup
11/19/2009 5:07:55 PM 3649536 C:\WINDOWS\ERDNT\Hiv-backup\Users
11/19/2009 5:07:55 PM 253952 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001
11/19/2009 5:07:55 PM 8192 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002
11/19/2009 5:07:55 PM 253952 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003
11/19/2009 5:07:55 PM 8192 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004
11/19/2009 5:07:55 PM 2957312 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005
11/19/2009 5:07:55 PM 167936 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006
11/19/2009 5:16:29 PM 35784000 C:\WINDOWS\ERDNT\subs
11/19/2009 5:16:30 PM 3649536 C:\WINDOWS\ERDNT\subs\Users
11/19/2009 5:16:30 PM 253952 C:\WINDOWS\ERDNT\subs\Users\00000001
11/19/2009 5:16:30 PM 8192 C:\WINDOWS\ERDNT\subs\Users\00000002
11/19/2009 5:16:30 PM 253952 C:\WINDOWS\ERDNT\subs\Users\00000003
11/19/2009 5:16:30 PM 8192 C:\WINDOWS\ERDNT\subs\Users\00000004
11/19/2009 5:16:30 PM 2957312 C:\WINDOWS\ERDNT\subs\Users\00000005
11/19/2009 5:16:30 PM 167936 C:\WINDOWS\ERDNT\subs\Users\00000006
10/28/2009 10:34:35 PM 445179 C:\WINDOWS\Logs
11/8/2009 12:51:32 AM 0 C:\WINDOWS\msdownld.tmp
10/21/2009 11:02:40 PM 1081 C:\WINDOWS\pss
11/19/2009 5:21:19 PM 18944 C:\WINDOWS\temp
11/2/2009 4:33:40 AM 80412 32 C:\WINDOWS\grep.exe
11/2/2009 4:33:40 AM 77312 32 C:\WINDOWS\MBR.exe
11/2/2009 4:33:40 AM 31232 32 C:\WINDOWS\NIRCMD.exe
11/2/2009 4:33:40 AM 260608 32 C:\WINDOWS\PEV.exe
10/5/2009 11:25:04 AM 1409 32 C:\WINDOWS\QTFont.for
10/5/2009 11:25:04 AM 54156 34 C:\WINDOWS\QTFont.qfn
11/2/2009 4:33:40 AM 98816 32 C:\WINDOWS\sed.exe
10/21/2009 11:17:33 PM 38 32 C:\WINDOWS\SOLOSCAN.BAT
11/2/2009 4:33:40 AM 161792 32 C:\WINDOWS\SWREG.exe
11/2/2009 4:33:40 AM 136704 32 C:\WINDOWS\SWSC.exe
11/2/2009 4:33:40 AM 212480 32 C:\WINDOWS\SWXCACLS.exe
11/2/2009 4:33:40 AM 68096 32 C:\WINDOWS\zip.exe
11/3/2009 12:21:50 PM 0 C:\WINDOWS\system32\appmgmt
11/3/2009 12:21:50 PM 0 C:\WINDOWS\system32\appmgmt\MACHINE
11/3/2009 12:21:50 PM 0 C:\WINDOWS\system32\appmgmt\S-1-5-21-1004336348-57989841-1417001333-1003
10/2/2009 10:32:31 PM 4299489 C:\WINDOWS\system32\GroupPolicy
10/2/2009 10:32:31 PM 4299101 C:\WINDOWS\system32\GroupPolicy\Adm
10/2/2009 10:32:31 PM 156 C:\WINDOWS\system32\GroupPolicy\Machine
10/2/2009 10:32:31 PM 0 C:\WINDOWS\system32\GroupPolicy\User
11/6/2009 1:18:42 PM 1123696 32 C:\WINDOWS\system32\D3DCompiler_33.dll
11/6/2009 1:18:44 PM 1124720 32 C:\WINDOWS\system32\D3DCompiler_34.dll
11/6/2009 1:18:46 PM 1358192 32 C:\WINDOWS\system32\D3DCompiler_35.dll
11/6/2009 1:18:47 PM 1374232 32 C:\WINDOWS\system32\D3DCompiler_36.dll
11/6/2009 1:18:49 PM 1420824 32 C:\WINDOWS\system32\D3DCompiler_37.dll
11/6/2009 1:18:50 PM 1491992 32 C:\WINDOWS\system32\D3DCompiler_38.dll
11/6/2009 1:18:52 PM 1493528 32 C:\WINDOWS\system32\D3DCompiler_39.dll
10/28/2009 10:34:52 PM 2036576 32 C:\WINDOWS\system32\D3DCompiler_40.dll
11/6/2009 1:18:57 PM 1846632 32 C:\WINDOWS\system32\D3DCompiler_41.dll
11/8/2009 12:54:24 AM 1974616 32 C:\WINDOWS\system32\D3DCompiler_42.dll
11/8/2009 12:54:23 AM 5501792 32 C:\WINDOWS\system32\d3dcsx_42.dll
11/6/2009 1:18:42 PM 443752 32 C:\WINDOWS\system32\d3dx10_33.dll
11/6/2009 1:18:44 PM 443752 32 C:\WINDOWS\system32\d3dx10_34.dll
11/6/2009 1:18:46 PM 444776 32 C:\WINDOWS\system32\d3dx10_35.dll
11/6/2009 1:18:47 PM 444776 32 C:\WINDOWS\system32\d3dx10_36.dll
11/6/2009 1:18:49 PM 462864 32 C:\WINDOWS\system32\d3dx10_37.dll
11/6/2009 1:18:50 PM 467984 32 C:\WINDOWS\system32\d3dx10_38.dll
11/6/2009 1:18:52 PM 467984 32 C:\WINDOWS\system32\d3dx10_39.dll
10/28/2009 10:34:52 PM 452440 32 C:\WINDOWS\system32\d3dx10_40.dll
11/6/2009 1:18:57 PM 453456 32 C:\WINDOWS\system32\d3dx10_41.dll
11/8/2009 12:54:23 AM 453456 32 C:\WINDOWS\system32\d3dx10_42.dll
11/8/2009 12:54:23 AM 235344 32 C:\WINDOWS\system32\d3dx11_42.dll
10/5/2009 8:31:07 PM 2222800 32 C:\WINDOWS\system32\d3dx9_24.dll
10/5/2009 8:31:08 PM 2337488 32 C:\WINDOWS\system32\d3dx9_25.dll
10/5/2009 8:31:09 PM 2297552 32 C:\WINDOWS\system32\d3dx9_26.dll
10/5/2009 8:31:09 PM 2319568 32 C:\WINDOWS\system32\d3dx9_27.dll
10/5/2009 8:31:10 PM 2332368 32 C:\WINDOWS\system32\d3dx9_29.dll
10/5/2009 8:31:11 PM 2414360 32 C:\WINDOWS\system32\d3dx9_31.dll
10/5/2009 8:31:12 PM 3426072 32 C:\WINDOWS\system32\d3dx9_32.dll
10/5/2009 8:31:12 PM 3495784 32 C:\WINDOWS\system32\d3dx9_33.dll
10/5/2009 8:31:14 PM 3497832 32 C:\WINDOWS\system32\d3dx9_34.dll
10/5/2009 8:31:15 PM 3727720 32 C:\WINDOWS\system32\d3dx9_35.dll
11/6/2009 1:18:47 PM 3734536 32 C:\WINDOWS\system32\d3dx9_36.dll
10/5/2009 8:31:15 PM 3786760 32 C:\WINDOWS\system32\D3DX9_37.dll
11/6/2009 1:18:50 PM 3850760 32 C:\WINDOWS\system32\D3DX9_38.dll
11/6/2009 1:18:51 PM 3851784 32 C:\WINDOWS\system32\D3DX9_39.dll
10/28/2009 10:34:51 PM 4379984 32 C:\WINDOWS\system32\D3DX9_40.dll
11/6/2009 1:18:56 PM 4178264 32 C:\WINDOWS\system32\D3DX9_41.dll
11/8/2009 12:54:23 AM 1892184 32 C:\WINDOWS\system32\D3DX9_42.dll
11/6/2009 1:18:37 PM 14032 32 C:\WINDOWS\system32\x3daudio1_0.dll
11/6/2009 1:18:39 PM 15128 32 C:\WINDOWS\system32\x3daudio1_1.dll
11/6/2009 1:18:45 PM 17928 32 C:\WINDOWS\system32\X3DAudio1_2.dll
11/6/2009 1:18:49 PM 25608 32 C:\WINDOWS\system32\X3DAudio1_3.dll
11/6/2009 1:18:50 PM 25608 32 C:\WINDOWS\system32\X3DAudio1_4.dll
11/6/2009 1:18:53 PM 23376 32 C:\WINDOWS\system32\X3DAudio1_5.dll
11/6/2009 1:18:56 PM 22360 32 C:\WINDOWS\system32\X3DAudio1_6.dll
11/6/2009 1:18:37 PM 230096 32 C:\WINDOWS\system32\xactengine2_0.dll
11/6/2009 1:18:38 PM 229584 32 C:\WINDOWS\system32\xactengine2_1.dll
11/6/2009 1:18:48 PM 267272 32 C:\WINDOWS\system32\xactengine2_10.dll
11/6/2009 1:18:38 PM 230168 32 C:\WINDOWS\system32\xactengine2_2.dll
11/6/2009 1:18:39 PM 236824 32 C:\WINDOWS\system32\xactengine2_3.dll
11/6/2009 1:18:39 PM 237848 32 C:\WINDOWS\system32\xactengine2_4.dll
11/6/2009 1:18:40 PM 251672 32 C:\WINDOWS\system32\xactengine2_5.dll
11/6/2009 1:18:40 PM 255848 32 C:\WINDOWS\system32\xactengine2_6.dll
11/6/2009 1:18:43 PM 261480 32 C:\WINDOWS\system32\xactengine2_7.dll
11/6/2009 1:18:45 PM 266088 32 C:\WINDOWS\system32\xactengine2_8.dll
11/6/2009 1:18:47 PM 267112 32 C:\WINDOWS\system32\xactengine2_9.dll
11/6/2009 1:18:49 PM 238088 32 C:\WINDOWS\system32\xactengine3_0.dll
11/6/2009 1:18:51 PM 238088 32 C:\WINDOWS\system32\xactengine3_1.dll
11/6/2009 1:18:52 PM 238088 32 C:\WINDOWS\system32\xactengine3_2.dll
11/6/2009 1:18:53 PM 235856 32 C:\WINDOWS\system32\xactengine3_3.dll
11/6/2009 1:18:56 PM 235352 32 C:\WINDOWS\system32\xactengine3_4.dll
11/8/2009 12:54:24 AM 238936 32 C:\WINDOWS\system32\xactengine3_5.dll
11/6/2009 1:18:51 PM 65032 32 C:\WINDOWS\system32\XAPOFX1_0.dll
11/6/2009 1:18:53 PM 68616 32 C:\WINDOWS\system32\XAPOFX1_1.dll
11/6/2009 1:18:53 PM 70992 32 C:\WINDOWS\system32\XAPOFX1_2.dll
11/6/2009 1:18:56 PM 69464 32 C:\WINDOWS\system32\XAPOFX1_3.dll
11/6/2009 1:18:50 PM 479752 32 C:\WINDOWS\system32\XAudio2_0.dll
11/6/2009 1:18:51 PM 507400 32 C:\WINDOWS\system32\XAudio2_1.dll
11/6/2009 1:18:53 PM 509448 32 C:\WINDOWS\system32\XAudio2_2.dll
11/6/2009 1:18:53 PM 514384 32 C:\WINDOWS\system32\XAudio2_3.dll
11/6/2009 1:18:56 PM 517448 32 C:\WINDOWS\system32\XAudio2_4.dll
11/8/2009 12:54:25 AM 515416 32 C:\WINDOWS\system32\XAudio2_5.dll
11/6/2009 1:18:38 PM 62672 32 C:\WINDOWS\system32\xinput1_1.dll
11/6/2009 1:18:38 PM 62744 32 C:\WINDOWS\system32\xinput1_2.dll
10/5/2009 8:31:13 PM 81768 32 C:\WINDOWS\system32\xinput1_3.dll
10/5/2009 8:31:09 PM 61136 32 C:\WINDOWS\system32\xinput9_1_0.dll
10/22/2009 10:04:55 AM 8623072 32 C:\WINDOWS\system32\_upd.log

====== Files under "\Administrator\Startup" Last 60 Days======

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted Today 4:25 (GMT +1)

====== Files under "\All Users\Startup" Last 60 Days======

====== Files and Folders under "\Program Files" Last 60 Days======

11/14/2009 2:09:30 PM 213907597 C:\Program Files\Adobe
10/5/2009 8:31:03 PM 7553274186 C:\Program Files\EA Sports
9/23/2009 8:33:06 AM 672400 C:\Program Files\Eusing Free Registry Cleaner
9/30/2009 7:28:50 AM 21923987 C:\Program Files\Garena
10/28/2009 10:40:05 PM 306998845 C:\Program Files\Heroes of Newerth
10/28/2009 10:35:17 PM 598 C:\Program Files\Heroes of Newerth on Mtchin
9/23/2009 8:34:39 AM 4313850 C:\Program Files\Malwarebytes' Anti-Malware
10/5/2009 8:43:58 AM 66258738 C:\Program Files\Real
11/6/2009 1:14:38 PM 2109964878 C:\Program Files\Sports Interactive
11/2/2009 3:39:19 AM 31074483 C:\Program Files\SUPERAntiSpyware
10/22/2009 9:15:41 AM 589462 C:\Program Files\Unlocker
9/30/2009 7:04:42 AM 2569268084 C:\Program Files\Warcraft3
11/6/2009 1:14:38 PM 2700 C:\Program Files\Zero G Registry

====== Files under "\System32\Drivers" Last 60 Days======

11/2/2009 4:15:31 AM 587808 38 C:\WINDOWS\system32\drivers\fidbox.dat
11/2/2009 4:15:31 AM 9008 38 C:\WINDOWS\system32\drivers\fidbox.idx
11/2/2009 4:15:31 AM 43552 38 C:\WINDOWS\system32\drivers\fidbox2.dat
11/2/2009 4:15:31 AM 7220 38 C:\WINDOWS\system32\drivers\fidbox2.idx
9/23/2009 8:34:39 AM 19160 32 C:\WINDOWS\system32\drivers\mbam.sys
9/23/2009 8:34:41 AM 38224 32 C:\WINDOWS\system32\drivers\mbamswissarmy.sys

====== Files Deleted under "%Temp%" ======

6 Files deleted

====== Files and Folders under "All Users\Application Data" Last 60 Days======

10/13/2009 5:46:39 PM 0 C:\Documents and Settings\All Users\Application Data\Lavasoft
10/13/2009 5:51:40 PM 0 C:\Documents and Settings\All Users\Application Data\Lavasoft\License
9/23/2009 8:34:39 AM 2832663 C:\Documents and Settings\All Users\Application Data\Malwarebytes
9/23/2009 8:34:39 AM 2832663 C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
11/19/2009 5:28:16 PM 6352 C:\Documents and Settings\All Users\Application Data\McAfee
11/19/2009 5:28:16 PM 6352 C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS
11/19/2009 5:28:16 PM 4876 C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\Common
11/19/2009 5:28:16 PM 4876 C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\Common\McUICnt
11/19/2009 5:28:16 PM 1476 C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\McUICnt
11/19/2009 5:28:16 PM 1476 C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\McUICnt\McUICnt
11/14/2009 1:58:42 PM 158 C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
11/14/2009 1:57:33 PM 163840 C:\Documents and Settings\All Users\Application Data\NOS
11/14/2009 1:58:00 PM 163840 C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads
10/22/2009 9:26:24 AM 24207360 C:\Documents and Settings\All Users\Application Data\ParetoLogic
10/22/2009 9:26:24 AM 24207360 C:\Documents and Settings\All Users\Application Data\ParetoLogic\PLAS
10/22/2009 9:26:24 AM 0 C:\Documents and Settings\All Users\Application Data\ParetoLogic\UUS2
10/22/2009 10:05:51 AM 0 C:\Documents and Settings\All Users\Application Data\ParetoLogic\UUS2\Temp
10/5/2009 8:44:39 AM 90 C:\Documents and Settings\All Users\Application Data\Real
10/5/2009 8:44:39 AM 0 C:\Documents and Settings\All Users\Application Data\Real\RealPlayer
10/5/2009 8:49:30 AM 90 C:\Documents and Settings\All Users\Application Data\Real\Update
11/6/2009 1:20:02 PM 6029 C:\Documents and Settings\All Users\Application Data\Sports Interactive
11/6/2009 1:20:02 PM 6029 C:\Documents and Settings\All Users\Application Data\Sports Interactive\Football Manager 2010
11/6/2009 1:20:02 PM 6029 C:\Documents and Settings\All Users\Application Data\Sports Interactive\Football Manager 2010\7914
11/2/2009 3:39:29 AM 0 C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
11/2/2009 3:39:29 AM 0 C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware

====== Values under HKLM\Software\microsoft\shared tools\msconfig\startupreg ======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\Alcmtr
HKLM\Software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1
HKLM\Software\microsoft\shared tools\msconfig\startupreg\InCD
HKLM\Software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKLM\Software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter
HKLM\Software\microsoft\shared tools\msconfig\startupreg\nwiz
HKLM\Software\microsoft\shared tools\msconfig\startupreg\PHIME2002A
HKLM\Software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync
HKLM\Software\microsoft\shared tools\msconfig\startupreg\SecurDisc

====== Services ( Services that are Whitelisted are not shown) ======

GarenaPEngine (GarenaPEngine)- \??\C:\DOCUME~1\user\LOCALS~1\Temp\RQBC.tmp - Manual/Stopped
irda (IrDA Protocol)- C:\WINDOWS\system32\DRIVERS\irda.sys - Auto/Running
irsir (Microsoft Serial Infrared Driver)- C:\WINDOWS\system32\DRIVERS\irsir.sys - Manual/Running
nvsmu (nvsmu)- C:\WINDOWS\system32\DRIVERS\nvsmu.sys - Manual/Running
Rasirda (WAN Miniport (IrDA))- C:\WINDOWS\system32\DRIVERS\rasirda.sys - Manual/Running
RTLE8023xp (Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver)- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys - Manual/Running
SASDIFSV (SASDIFSV)- \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS - System/Running
SASENUM (SASENUM)- \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS - Manual/Running
SASKUTIL (SASKUTIL)- \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys - System/Running
WmiAcpi (Microsoft Windows Management Interface for ACPI)- C:\WINDOWS\system32\DRIVERS\wmiacpi.sys - System/Running
asc3360pr (asc3360pr)- - Unknown/Running

====== Uninstall List ======

Adobe AIR
Adobe Flash Player 10 Plugin
BitComet 1.16
Microsoft Office Enterprise 2007
Eusing Free Registry Cleaner
FastStone Image Viewer 3.9
Football Manager 2010
Garena
HijackThis 2.0.2
Heroes of Newerth
Update for Windows XP (KB898461)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB950760)
Malwarebytes' Anti-Malware
Mozilla Firefox (3.5.5)
NVIDIA Drivers
RealPlayer
Adobe Flash Player 9 ActiveX
Solo Antivirus 9.0
Storm Codec
Unlocker 1.8.7
VLC media player 1.0.3
Windows Live Essentials
WinRAR archiver
Yahoo! Messenger
FIFA 10
DVD Suite
Windows Live Upload Tool
MSVCRT
WebFldrs XP
Windows Live Communications Platform
Mega Manager
Windows Live Sign-in Assistant
neroxml
Skype™ 3.6
Mega Manager
PowerDVD
Microsoft Visual C++ 2005 Redistributable
Windows Live Essentials
Microsoft Software Update for Web Folders (English) 12
Microsoft Office Access MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Application Error Reporting
Segoe UI
Adobe AIR
Windows Live Messenger
Adobe Reader 9.2
REALTEK GbE & FE Ethernet PCI-E NIC Driver
SUPERAntiSpyware Free Edition
Nero 7 Essentials
Microsoft Choice Guard
Realtek High Definition Audio Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Call

======== Other Info ========

TOTAL PHYSICAL RAM: 1072 MB

Boot Info

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

OS Type: Microsoft Windows XP Professional
Build: 5.1.2600
Service Pack: 3.0

====== Files with Hidden Attributes======

C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\NTDETECT.COM
C:\Documents and Settings\Default User\NTUSER.DAT
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\LocalService\Cookies\index.dat
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat

==End of Report==

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted Today 4:36 (GMT +1)

I can´t see - C:\DOCUME~1\user\LOCALS~1\Temp\winobihsi.exe in the log. I´ll suggest you empty C:\DOCUME~1\user\LOCALS~1\Temp <- Folder.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

manutd83
New Member

Date Joined Nov 2009
Total Posts : 10

Posted Today 4:53 (GMT +1)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/21/2009 at 11:53 AM

Application Version : 4.30.1004

Core Rules Database Version : 4295
Trace Rules Database Version: 2170

Scan type : Complete Scan
Total Scan Time : 00:27:37

Memory items scanned : 493
Memory threats detected : 0
Registry items scanned : 5892
Registry threats detected : 0
File items scanned : 16061
File threats detected : 4

Trojan.MailDrop/Gen
C:\WINDOWS\TEMP\TXPCK.EXE
C:\WINDOWS\TEMP\VEIJLB.EXE
C:\WINDOWS\TEMP\WINDTUXB.EXE
C:\WINDOWS\TEMP\WINJJKDD.EXE

Forum Information

Currently it is Saturday, November 21, 2009 1:16 PM (GMT +1)
There are a total of 73.031 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 70 reply posts. View Active Threads