Quantcast

Maximum PC

Watch the "I'm Staypuff and I Fold" video
Vote for November's PSOTM
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups    Ban PanelBan Panel   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

mass amounts of spyware/malware w/hijackthis. here you go
Goto page 1, 2, 3  Next
 
Post new topic   Reply to topic     Forum Index -> Free Clinic
View previous topic :: View next topic  
Author Message
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 5:01 pm    Post subject: mass amounts of spyware/malware w/hijackthis. here you go Reply with quote
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:15 PM, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winsecure2009.microsoft.com
O1 - Hosts: 91.212.127.227 winsecure2009.com
O1 - Hosts: 91.212.127.227 www.winsecure2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O3 - Toolbar: QT Breadcrumbs Address Bar - {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll (file missing)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [klvllraq] C:\Users\Warrior\Local Settings\Application Data\ikvbvm\cbovsysguard.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [UltimateServices] C:\WINDOWS\System32\ultsvcs.exe
O4 - HKCU\..\Run: [VisualTaskTips] C:\WINDOWS\System32\visualtasktips.exe noTrayIcon
O4 - HKCU\..\Run: [TopDesk] C:\WINDOWS\System32\topdesk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
O4 - HKCU\..\RunOnce: [RTUserConfig] C:\WINDOWS\System32\rtusercfg.exe
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [UltimateServices] C:\WINDOWS\System32\ultsvcs.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [VisualTaskTips] C:\WINDOWS\System32\visualtasktips.exe noTrayIcon (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TopDesk] C:\WINDOWS\System32\topdesk.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5714 bytes


wont let me install anything, unless i am in safe mode
Back to top
View user's profile Send private message
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 5:05 pm    Post subject: Reply with quote
now i cant install anything. it says that the administrator has set up policies restricting the installs. but i check program restrictions, and there are no policies set
Back to top
View user's profile Send private message
hackman2007
Malware specialist
Malware specialist


Joined: 03 Apr 2005
Posts: 9848
PostPosted: Sun Nov 08, 2009 5:13 pm    Post subject: Reply with quote
Yeah, there does appear to be a massive amount of malware on it.

I'm not sure if Combofix works in Safe Mode, but worth a shot.

After the download, launch combofix.exe.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall. Also your screen may go blank at times, may flash, your Internet may disconnect, this is normal. After a reboot, everything should be restored.

If the program doesn't launch, try re-naming the file to something different, like something.exe

Post the logfile here if you get it running (located at C:\Combofix.txt)
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 5:54 pm    Post subject: Reply with quote
here is the combo fix log. gonna restart into regular windows, and see what the damage is. Smile

ComboFix 09-11-08.03 - Administrator 11/08/2009 20:45.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.766 [GMT -5:00]
Running from: c:\users\Administrator\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bin
c:\windows\system32\bin\brutalchess.exe
c:\windows\system32\bin\freetype6.dll
c:\windows\system32\bin\jpeg.dll
c:\windows\system32\bin\libpng12.dll
c:\windows\system32\bin\libtiff.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcm80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcp80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcr80.dll
c:\windows\system32\bin\SDL.dll
c:\windows\system32\bin\SDL_image.dll
c:\windows\system32\bin\zlib1.dll
c:\windows\system32\ieHElper.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2019-09-25 22:40 . 2019-09-25 22:40 20480 ----a-w- c:\windows\system32\APITypes.dll
2009-11-09 01:03 . 2009-11-09 01:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-09 00:59 . 2009-11-09 00:59 -------- d-----w- c:\program files\Trend Micro
2009-11-09 00:43 . 2009-11-09 00:43 -------- d-----w- c:\users\Administrator\Local Settings\Application Data\Mozilla
2009-11-08 16:31 . 2009-11-08 16:31 -------- d-----w- c:\users\Warrior\Local Settings\Application Data\ikvbvm
2009-11-01 03:27 . 2009-11-01 03:27 -------- d-----w- c:\windows\nview
2009-11-01 03:27 . 2008-05-16 18:01 446464 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-01 03:27 . 2008-05-16 15:48 446464 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-01 03:27 . 2009-11-01 03:27 -------- d-----w- C:\NVIDIA
2009-11-01 03:21 . 2009-11-01 03:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-01 03:04 . 2008-05-16 18:01 6557408 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2009-11-01 03:04 . 2008-05-16 18:01 6557408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-01 03:04 . 2008-05-16 18:01 6108928 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2009-11-01 03:04 . 2008-05-16 18:01 6108928 ----a-w- c:\windows\system32\nv4_disp.dll
2009-10-31 03:58 . 2008-04-14 12:00 26624 ----a-w- c:\users\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-31 03:56 . 2009-10-31 03:56 113 ----a-w- c:\users\Warrior\Local Settings\Application Data\fusioncache.dat
2009-10-31 03:56 . 2009-10-31 03:59 -------- d-----w- c:\users\Warrior\Local Settings\Application Data\ApplicationHistory
2009-10-31 03:55 . 2009-11-01 03:04 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-26 22:50 . 2009-10-26 22:50 -------- d-----w- c:\program files\Realtek Sound Manager
2009-10-26 22:50 . 2009-10-26 22:50 -------- d-----w- c:\program files\AvRack
2009-10-26 22:50 . 2002-10-16 10:24 47104 ----a-r- c:\windows\SOUNDMAN.EXE
2009-10-26 22:50 . 2002-10-16 09:27 947884 ----a-r- c:\windows\system32\drivers\ALCXWDM.SYS
2009-10-26 22:50 . 2009-10-26 22:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-26 22:50 . 2002-10-21 05:33 208896 ----a-r- c:\windows\alcupd.exe
2009-10-26 22:50 . 2002-10-17 04:54 131072 ----a-r- c:\windows\alcrmv.exe
2009-10-26 22:49 . 2009-11-01 03:27 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-26 22:24 . 2001-08-17 15:12 16074 -c--a-w- c:\windows\system32\dllcache\fa312nd5.sys
2009-10-26 22:24 . 2001-08-17 15:12 16074 ----a-w- c:\windows\system32\drivers\FA312nd5.sys
2009-10-26 19:45 . 2009-10-26 19:45 -------- d-----w- c:\windows\Sun
2009-10-22 05:41 . 2009-11-09 01:40 -------- d-----w- c:\users\Warrior\Local Settings\Application Data\AskToolbar
2009-10-21 05:26 . 2009-10-31 11:14 -------- d-----w- c:\users\Warrior\Local Settings\Application Data\Adobe
2009-10-20 16:19 . 2009-10-20 16:19 -------- d-----w- c:\program files\Ask.com
2009-10-20 16:18 . 2009-10-20 19:47 -------- d-----w- c:\users\Warrior\Application Data\BitTorrent
2009-10-20 16:18 . 2009-10-20 16:18 -------- d-----w- c:\program files\BitTorrent
2009-10-20 02:06 . 2009-10-20 02:06 -------- d-----w- c:\users\Warrior\Local Settings\Application Data\Blizzard Entertainment
2009-10-20 02:04 . 2009-10-20 02:19 -------- d-----w- c:\users\Warrior\Application Data\Ventrilo
2009-10-20 02:04 . 2009-10-20 02:04 -------- d-----w- c:\program files\Ventrilo
2009-10-20 02:03 . 2009-11-09 00:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-20 02:03 . 2009-10-20 02:03 16360 ----a-w- c:\users\Warrior\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 01:57 . 2009-10-27 07:19 -------- d-----w- c:\users\Warrior\Local Settings\Application Data\CurseClient
2009-10-20 01:57 . 2009-10-20 01:57 -------- d-----w- c:\program files\Curse
2009-10-20 00:55 . 2009-10-20 01:45 -------- d-----w- c:\users\All Users\Application Data\Blizzard Entertainment
2009-10-19 20:34 . 2009-10-19 20:34 -------- d-----w- c:\users\Warrior\Local Settings\Application Data\Yahoo
2009-10-19 20:31 . 2009-10-19 20:34 -------- d-----w- c:\users\All Users\Application Data\Yahoo!
2009-10-19 20:31 . 2009-05-26 23:50 607472 ----a-w- c:\users\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-10-19 20:29 . 2009-10-19 20:31 -------- d-----w- c:\program files\Yahoo!
2009-10-19 20:18 . 2009-10-19 20:18 0 ----a-w- c:\windows\nsreg.dat
2009-10-19 20:18 . 2009-10-19 20:18 -------- d-----w- c:\users\Warrior\Local Settings\Application Data\Mozilla
2009-10-19 20:18 . 2009-11-06 03:20 -------- d-----w- c:\program files\World of Warcraft
2009-10-19 20:16 . 2009-10-19 20:16 -------- d-----w- c:\users\All Users\Application Data\Blizzard
2009-10-19 20:16 . 2009-10-19 22:43 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-10-19 20:11 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-10-19 20:01 . 2009-10-19 20:01 -------- d-----w- c:\users\Warrior\Local Settings\Application Data\Ahead
2009-10-19 20:01 . 2009-10-19 20:01 -------- d-----w- c:\program files\NeroInstall.bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 05:16 . 2009-10-19 19:18 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-19 19:59 . 2009-10-19 19:59 -------- d-----w- c:\users\All Users\Application Data\Nero
2009-10-19 19:49 . 2009-10-19 19:54 -------- d---a-w- c:\windows\system32\config\systemprofile\Application Data\OtakuSoftware
2009-10-19 19:49 . 2009-10-19 19:49 -------- d---a-w- c:\users\Default User\Application Data\OtakuSoftware
2009-10-19 19:49 . 2009-11-09 00:42 -------- d---a-w- c:\users\Administrator\Application Data\Nero
2009-10-19 19:49 . 2009-10-19 19:57 -------- d---a-w- c:\users\Warrior\Application Data\Nero
2009-10-19 19:49 . 2009-10-19 19:54 -------- d---a-w- c:\windows\system32\config\systemprofile\Application Data\Nero
2009-10-19 19:49 . 2009-10-19 19:49 -------- d---a-w- c:\users\Default User\Application Data\Nero
2009-10-19 19:49 . 2009-11-09 00:42 -------- d---a-w- c:\users\Administrator\Application Data\LClock
2009-10-19 19:49 . 2009-10-19 19:57 -------- d---a-w- c:\users\Warrior\Application Data\LClock
2009-10-19 19:49 . 2009-10-19 19:54 -------- d---a-w- c:\windows\system32\config\systemprofile\Application Data\LClock
2009-10-19 19:49 . 2009-10-19 19:49 -------- d---a-w- c:\users\Default User\Application Data\LClock
2009-10-19 19:39 . 2009-10-19 19:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-19 19:38 . 2009-11-09 00:42 -------- d-----w- c:\users\Administrator\Application Data\ESTsoft
2009-10-19 19:38 . 2009-10-19 19:57 -------- d-----w- c:\users\Warrior\Application Data\ESTsoft
2009-10-19 19:38 . 2009-10-19 19:38 -------- d-----w- c:\users\Default User\Application Data\ESTsoft
2009-10-19 19:38 . 2009-10-19 19:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ESTsoft
2009-10-19 19:38 . 2009-10-19 19:37 -------- d-----w- c:\program files\Windows Live
2009-10-19 19:37 . 2009-10-19 19:36 -------- d-----w- c:\program files\Java
2009-10-19 19:36 . 2009-10-19 19:36 -------- d-----w- c:\program files\Common Files\Java
2009-10-19 19:35 . 2009-10-19 19:35 69352 ----a-w- c:\users\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-19 19:35 . 2009-10-19 19:35 -------- d-----w- c:\program files\MSBuild
2009-10-19 19:35 . 2009-10-19 19:35 -------- d-----w- c:\program files\Reference Assemblies
2009-10-19 19:30 . 2009-10-19 19:30 -------- d-----w- c:\program files\ffdshow
2009-10-19 19:21 . 2009-10-19 19:21 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-19 19:20 . 2009-10-19 19:20 -------- d-----w- c:\program files\MSXML 4.0
2009-10-19 19:15 . 2009-10-19 19:15 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-19 19:15 . 2009-10-19 19:15 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-19 15:08 . 2009-10-19 15:08 0 ----a-w- c:\windows\ativpsrm.bin
.

------- Sigcheck -------

[-] 2008-04-23 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-23 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\syscache\tcpip.sys

[-] 2008-06-27 . C9FB1A9B3F9B51F08B665542DDFEE295 . 692736 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2009-10-19 . 8E6D27A2AF24CCEB54FF41F3796B4D9C . 2190208 . . [5.1.2600.5512] . . c:\windows\system32\ntoskrnl.exe

[-] 2008-06-27 . 6616894470538493B9AAE74271F099EF . 578048 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2008-06-27 . 6F985A16C2A1E7BA60E5CF24B9F5FC25 . 1424384 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-06-27 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 21:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 17:04 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"UltimateServices"="c:\windows\System32\ultsvcs.exe" [2008-04-26 256871]
"VisualTaskTips"="c:\windows\System32\visualtasktips.exe" [2008-06-22 65536]
"TopDesk"="c:\windows\System32\topdesk.exe" [2008-03-23 1948160]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"RTUserConfig"="c:\windows\System32\rtusercfg.exe" [2008-06-28 247321]
"NeroHomeFirstStart"="c:\program files\Common Files\Nero\Lib\NMFirstStart.exe" [2008-02-28 19752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-02-28 1083176]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"klvllraq"="c:\users\Warrior\Local Settings\Application Data\ikvbvm\cbovsysguard.exe" [2009-11-08 239360]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2002-10-16 47104]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"UltimateServices"="c:\windows\System32\ultsvcs.exe" [2008-04-26 256871]
"VisualTaskTips"="c:\windows\System32\visualtasktips.exe" [2008-06-22 65536]
"TopDesk"="c:\windows\System32\topdesk.exe" [2008-03-23 1948160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"RTUserConfig"="c:\windows\System32\rtusercfg.exe" [2008-06-28 247321]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2/28/2008 12:04 PM 53032]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-07-10 21:29]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\g4zbzh0b.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 20:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(468)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
c:\windows\system32\COMRes.dll

- - - - - - - > 'lsass.exe'(524)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2009-11-09 20:50
ComboFix-quarantined-files.txt 2009-11-09 01:50

Pre-Run: 217,199,554,560 bytes free
Post-Run: 217,855,053,824 bytes free

- - End Of File - - F2A5C59F9E1F21B0746642E63D83DCCC
Back to top
View user's profile Send private message
hackman2007
Malware specialist
Malware specialist


Joined: 03 Apr 2005
Posts: 9848
PostPosted: Sun Nov 08, 2009 5:59 pm    Post subject: Reply with quote
Post a HijackThis log from normal mode if you get there.

If not, post another HijackThis log from Safe Mode please.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 6:01 pm    Post subject: Reply with quote
ok so i rebooted and the same shit is still here. anything that i try to do with any kind of executable results in a security alert popping up and saying that the specific XXXXX.exe is infected.
Back to top
View user's profile Send private message
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 6:05 pm    Post subject: Reply with quote
here is the new log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:04 PM, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winsecure2009.microsoft.com
O1 - Hosts: 91.212.127.227 winsecure2009.com
O1 - Hosts: 91.212.127.227 www.winsecure2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: BHO - {B6D223F6-C185-49a2-BA7E-A03E84744702} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O3 - Toolbar: QT Breadcrumbs Address Bar - {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll (file missing)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [klvllraq] C:\Users\Warrior\Local Settings\Application Data\ikvbvm\cbovsysguard.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [UltimateServices] C:\WINDOWS\System32\ultsvcs.exe
O4 - HKCU\..\Run: [VisualTaskTips] C:\WINDOWS\System32\visualtasktips.exe noTrayIcon
O4 - HKCU\..\Run: [TopDesk] C:\WINDOWS\System32\topdesk.exe
O4 - HKCU\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
O4 - HKCU\..\RunOnce: [RTUserConfig] C:\WINDOWS\System32\rtusercfg.exe
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [UltimateServices] C:\WINDOWS\System32\ultsvcs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [VisualTaskTips] C:\WINDOWS\System32\visualtasktips.exe noTrayIcon (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [TopDesk] C:\WINDOWS\System32\topdesk.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4833 bytes
Back to top
View user's profile Send private message
hackman2007
Malware specialist
Malware specialist


Joined: 03 Apr 2005
Posts: 9848
PostPosted: Sun Nov 08, 2009 6:36 pm    Post subject: Reply with quote
Will post updated instructions in a few minutes.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hackman2007
Malware specialist
Malware specialist


Joined: 03 Apr 2005
Posts: 9848
PostPosted: Sun Nov 08, 2009 6:44 pm    Post subject: Reply with quote
1. Fix with HijackThis
Please re-open HijackThis and put checkmarks next to the following entries:

O1 - Hosts: 91.212.127.227 winsecure2009.microsoft.com
O1 - Hosts: 91.212.127.227 winsecure2009.com
O1 - Hosts: 91.212.127.227 www.winsecure2009.com

O2 - BHO: BHO - {B6D223F6-C185-49a2-BA7E-A03E84744702} - C:\WINDOWS\system32\iehelper.dll

O4 - HKLM\..\Run: [klvllraq] C:\Users\Warrior\Local Settings\Application Data\ikvbvm\cbovsysguard.exe
O4 - HKCU\..\Run: [UltimateServices] C:\WINDOWS\System32\ultsvcs.exe
O4 - HKCU\..\RunOnce: [RTUserConfig] C:\WINDOWS\System32\rtusercfg.exe
O4 - HKUS\S-1-5-18\..\Run: [UltimateServices] C:\WINDOWS\System32\ultsvcs.exe (User 'SYSTEM')

now click Fix Checked


Try booting into Normal Mode again, will it let you run anything this time?
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 7:08 pm    Post subject: Reply with quote
ok so i get a popup box that says


Security Warning

Application cannot be executed. The file superantispyware.exe is infected.
do you want to activate your antivirus software now?

yes no



then it just closes what i try to install..

the thing is i uninstalled AVG from this computer. some of the programs were linked to it.


i still cant run superantispyware from safemode

i can install and run things in safe mode.


what to do???? what to do???
Back to top
View user's profile Send private message
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 7:27 pm    Post subject: Reply with quote
Whenever I try to run superantispyware in safemode it comes up with "the System Administrator has set policies to prevent this installation" Also does this for Eset Smart Security 4.
Back to top
View user's profile Send private message
hackman2007
Malware specialist
Malware specialist


Joined: 03 Apr 2005
Posts: 9848
PostPosted: Sun Nov 08, 2009 7:31 pm    Post subject: Reply with quote
All right,

Try downloading and running the tool mentioned in the third post of This Thread.

Restart the computer. Then try to run SUPERAntiSpyware again, let me know what happens.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 7:46 pm    Post subject: Reply with quote
i can run it. wooohoooo. ok gonna do a scan and clean, i will post a hijack this log after.
Back to top
View user's profile Send private message
hackman2007
Malware specialist
Malware specialist


Joined: 03 Apr 2005
Posts: 9848
PostPosted: Sun Nov 08, 2009 8:08 pm    Post subject: Reply with quote
graydiggy wrote:
i can run it. wooohoooo. ok gonna do a scan and clean, i will post a hijack this log after.


Can you post a logfile from the program you run as well?
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 8:14 pm    Post subject: Reply with quote
ok so here is the hijackthis log.

got rid of most of it but i still have the thing stopping executables. and some antivirus system pro thing.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:20 PM, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\visualtasktips.exe
C:\WINDOWS\System32\topdesk.exe
C:\Users\Warrior\Application Data\LClock\lclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\WINDOWS\system32\ultdrvmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14986&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winsecure2009.microsoft.com
O1 - Hosts: 91.212.127.227 winsecure2009.com
O1 - Hosts: 91.212.127.227 www.winsecure2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: BHO - {B6D223F6-C185-49a2-BA7E-A03E84744702} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O3 - Toolbar: QT Breadcrumbs Address Bar - {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll (file missing)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [UltimateServices] C:\WINDOWS\System32\ultsvcs.exe
O4 - HKCU\..\Run: [VisualTaskTips] C:\WINDOWS\System32\visualtasktips.exe noTrayIcon
O4 - HKCU\..\Run: [TopDesk] C:\WINDOWS\System32\topdesk.exe
O4 - HKCU\..\Run: [LClock] C:\Users\Warrior\Application Data\LClock\lclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [klvllraq] C:\Users\Warrior\Local Settings\Application Data\ikvbvm\cbovsysguard.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [VisualTaskTips] C:\WINDOWS\System32\visualtasktips.exe noTrayIcon (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [TopDesk] C:\WINDOWS\System32\topdesk.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5465 bytes
Back to top
View user's profile Send private message
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Sun Nov 08, 2009 9:08 pm    Post subject: Reply with quote
here is the Eset NOD 32 log file


Scan Log
Version of virus signature database: 4586 (20091108)
Date: 11/8/2009 Time: 11:44:06 PM
Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
C:\hiberfil.sys - error opening [4]
C:\pagefile.sys - error opening [4]
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\core3.zip » ZIP » lib/deploy/ffjcext.zip » ZIP » {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\core3.zip » ZIP » lib/resources.jar » ZIP » com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\core3.zip » ZIP » lib/resources.jar » ZIP » com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\core3.zip » ZIP » lib/resources.jar » ZIP » javax/xml/bind/Messages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre1.6.0_06\lib\resources.jar » ZIP » com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre1.6.0_06\lib\resources.jar » ZIP » com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre1.6.0_06\lib\resources.jar » ZIP » javax/xml/bind/Messages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre1.6.0_06\lib\deploy\ffjcext.zip » ZIP » {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\comm.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\pippki.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Nero\Nero8\Nero Burning Rom\CDI\CDI_VCD.CFG » MIME - is OK (internal scanning not performed)
C:\Qoobox\Quarantine\C\WINDOWS\system32\iehelper.dll.vir - Win32/Adware.SpywareProtect2009 application - cleaned by deleting - quarantined [1]
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {182958D0-F508-4A1F-A74B-10C4CC20EABC} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {22C050B5-69EA-43DE-820D-6AAE1209FF3C} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {232D7BE4-2F80-459B-B3CF-CF08888AE978} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {26043760-FA2B-4E7B-8472-A9A647A12CF9} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {2EE2F29B-E496-4622-9DB0-48881BCFDDBB} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {38EE0070-2587-4A1F-A91A-B41412D1D453} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {3AB6CC52-9ECD-4704-969D-C3521EF77E0D} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {3CA80F0A-BEE6-47C2-A6BB-D20A742EEBDF} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {48F16DFC-DD60-4B73-A18E-C27166239847} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {4A14F037-D3B9-4EB7-9C72-654D06C37DD4} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {645B1B85-628B-4FF7-BD8E-EF782980469C} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {66F85212-8B2C-4985-97D1-886B063B796E} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {8453F73E-8745-46BE-8146-5263CDB3B900} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {998E1952-8DC2-461F-84DC-42B562188F1E} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {9B396276-CE45-4560-914F-7C52521B15FA} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {A734DDA3-D8FF-4745-83E4-8F7A20FEE948} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {B361F138-E3C6-4548-ABC3-6B9170C6F71C} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {B36FD87E-5744-407E-8D7F-D3A82EBD2E6C} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {BA229FEC-F955-41C3-A9CB-0526788EEDDF} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {BF417322-45BD-42A3-9552-8720F941D292} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {C29CE395-DB15-47AE-8EA4-CD4EC6AEA465} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {C717E0D9-882F-4FF2-8ACD-264B3D448664} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {C958732B-2157-4462-9592-3D7F105967DE} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {D9F1045E-A89F-4C53-A66E-2E0F70F8F46E} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {DE428597-0429-4A4A-A2CC-DC2C1989EAA5} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {F07D35E9-EA1E-4F73-A188-37170F9C3B49} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » {F4D20D61-08E8-4136-8BC7-6EE0F6ED5825} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-06-48.SBU » ZIP » backup.db - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-20-02.SBU » ZIP » {1C672047-2BF5-48F9-8424-B9823CFCD793} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-20-02.SBU » ZIP » {8650CA1F-5DAF-42AE-BFC2-6574E655EF32} - error - password-protected file
C:\Users\Warrior\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-08-2009 - 23-20-02.SBU » ZIP » backup.db - error - password-protected file
Number of scanned objects: 95686
Number of threats found: 1
Number of cleaned objects: 1
Time of completion: 12:07:40 AM Total scanning time: 1414 sec (00:23:34)

Notes:
[1] Object has been deleted as it only contained the virus body.
[4] Object cannot be opened. It may be in use by another application or operating system.
Back to top
View user's profile Send private message
hackman2007
Malware specialist
Malware specialist


Joined: 03 Apr 2005
Posts: 9848
PostPosted: Mon Nov 09, 2009 5:02 am    Post subject: Reply with quote
Does SUPERAntiSpyware work? If so, can you please run that program?
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Mon Nov 09, 2009 6:40 am    Post subject: Reply with quote
i ran that and it got rid of most of the crap. but it left 2 or 3 things on here from the antivirus pro thingy. i had to go into the task manager and stop it manually, but a restart will make them turn back on.
Back to top
View user's profile Send private message
hackman2007
Malware specialist
Malware specialist


Joined: 03 Apr 2005
Posts: 9848
PostPosted: Mon Nov 09, 2009 6:53 am    Post subject: Reply with quote
graydiggy wrote:
i ran that and it got rid of most of the crap. but it left 2 or 3 things on here from the antivirus pro thingy. i had to go into the task manager and stop it manually, but a restart will make them turn back on.


Can you get me the logfile from SAS? I might be able to get rid of the rest of it manually.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
graydiggy
Team Member Top 100
Team Member Top 100


Joined: 15 Apr 2009
Posts: 710
PostPosted: Mon Nov 09, 2009 7:04 am    Post subject: Reply with quote
im running the scan right now. i should have it in about 10 to 15 mins
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic     Forum Index -> Free Clinic All times are GMT - 8 Hours
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Future © 2008 Future US, Inc. All Rights Reserved.