Author Topic: My log from ComboFix, what I do?  (Read 16048 times)

0 Members and 1 Guest are viewing this topic.

haydee

  • Guest
My log from ComboFix, what I do?
« on: June 09, 2007, 02:13:40 AM »
part 1

"Rosa Alonso" - 2007-06-08 18:55:43    Service Pack 2  NTFS 
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Rosa Alonso.COQUI\Desktop\"


((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.tmp
C:\WINDOWS\system32\vtutr.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\DOCUME~1\ROSAAL~1.COQ\MYDOCU~1\CROSOF~1.NET
C:\DOCUME~1\ROSAAL~1.COQ\STARTM~1\Programs.\PornoPlayer
C:\DOCUME~1\ROSAAL~1.COQ\STARTM~1\Programs.\PornoPlayer\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\0b9
C:\Temp\0b9\tmpTF.logHiJackthis log
C:\Temp\tn3
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\system32\CROSOF~1.NET
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\kdaql.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\wr.txt

haydee

  • Guest
Re: My log from ComboFix, what I do?
« Reply #1 on: June 09, 2007, 02:15:03 AM »
continuation


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent
-------\Windows Overlay Components


(((((((((((((((((((((((((   Files Created from 2007-05-08 to 2007-06-08  )))))))))))))))))))))))))))))))


2007-06-07 21:07   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-07 16:46   58,420   --a------   C:\WINDOWS\system32\xanjvlym.dll
2007-06-06 20:46   94,424   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 20:46   90,112   --a------   C:\WINDOWS\system32\AVASTSS.scr
2007-06-06 20:46   85,952   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 20:46   689,280   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-06-06 20:46   43,176   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-06 20:46   31,560   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-06 20:46   23,352   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-06 16:51   <DIR>   d--hsc---   C:\UWA7P
2007-06-06 16:49   <DIR>   d--------   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\WinAntiVirus Pro 2007
2007-06-06 16:48   <DIR>   dr-------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-06 16:46   89,088   --a------   C:\WINDOWS\system32\atl71.dll
2007-06-06 16:46   8,704   --a------   C:\WINDOWS\system32\SpOrder.dll
2007-06-06 16:46   24,064   --a------   C:\WINDOWS\system32\msxml3a.dll
2007-06-06 16:46   <DIR>   d--------   C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-06-06 16:46   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-06 16:45   2,580   --a------   C:\WINDOWS\system32\itidslmy.exe
2007-06-06 16:42   131,124   --a------   C:\WINDOWS\system32\kyhbmcpi.dll
2007-06-06 16:41   33,302   --a------   C:\WINDOWS\system32\opnmnmm.dll
2007-06-06 16:40   55,316   --a------   C:\WINDOWS\system32\nqquvbep.dll
2007-06-06 16:31   2   --a------   C:\WINDOWS\system32\wcpisvit.exe
2007-06-06 16:30   771,920   -r-hs----   C:\WINDOWS\oaftrobA.exe
2007-06-06 16:30   46,592   --a------   C:\WINDOWS\oaftrob.exe
2007-06-06 16:29   <DIR>   d--------   C:\WINDOWS\system32\TQ0
2007-06-06 16:29   <DIR>   d--------   C:\WINDOWS\system32\T6
2007-06-06 16:28   33,302   --a------   C:\WINDOWS\system32\byxurrr.dll
2007-06-06 16:28   <DIR>   d----c---   C:\Temp\x2b
2007-06-06 16:28   <DIR>   d----c---   C:\Temp
2007-06-06 16:28   <DIR>   d--------   C:\WINDOWS\system32\T1QaSQ
2007-05-22 09:24   <DIR>   d--------   C:\Program Files\GamesBar
2007-05-22 09:24   <DIR>   d--------   C:\Program Files\Comcast Play Games
2007-05-22 09:24   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tarma Installer
2007-05-22 09:24   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\GamesBar
2007-05-18 17:51   <DIR>   d--------   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\Talkback
2007-05-15 17:50   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-15 17:38   <DIR>   d--------   C:\Program Files\CCleaner
2007-05-15 15:13   29,704   --a------   C:\WINDOWS\system32\uxtuneup.dll
2007-05-15 15:13   <DIR>   d--------   C:\Program Files\TuneUp Utilities 2007
2007-05-15 15:13   <DIR>   d--------   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\TuneUp Software
2007-05-15 15:12   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-05-15 15:12   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-05-09 21:22   59,264   --a------   C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-05-09 21:13   <DIR>   d--------   C:\Program Files\Common Files\logishrd
2007-05-09 21:11   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-08 17:17   <DIR>   d--------   C:\Program Files\Alwil Software
2007-05-08 17:04   <DIR>   d--------   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\Sammsoft
2007-05-08 14:50   <DIR>   d--------   C:\Program Files\RegistryPatrol3.0
2007-05-08 14:26   <DIR>   d--------   C:\Program Files\XPMedic


haydee

  • Guest
Re: My log from ComboFix, what I do?
« Reply #2 on: June 09, 2007, 02:15:56 AM »
continuation


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 02:12:46   --------   d--h--w   C:\Program Files\WindowsUpdate
2007-06-06 21:22:02   --------   d-----w   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\ComcastToolbar
2007-05-15 22:38:49   --------   d-----w   C:\Program Files\Yahoo!
2007-05-15 20:23:40   --------   d-----w   C:\Program Files\RamBooster 2.0
2007-05-09 21:05:02   --------   d-----w   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\Yahoo!
2007-05-09 18:57:40   --------   d-----w   C:\Program Files\The Rise Of Atlantis
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-18 12:35:55   --------   d-----w   C:\Program Files\ComcastToolbar
2007-04-17 03:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-04-17 03:44:20   271,224   ----a-w   C:\WINDOWS\system32\mucltui.dll
2007-04-17 03:44:18   208,248   ----a-w   C:\WINDOWS\system32\muweb.dll
2007-04-10 13:27:32   --------   d-----w   C:\Program Files\Common Files\InstallShield
2007-04-10 13:27:13   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-10 13:10:54   --------   d-----w   C:\Program Files\iWin Games
2007-04-09 15:52:50   --------   d-----w   C:\Program Files\iWin.com
2007-04-09 13:26:11   --------   d-----w   C:\Program Files\Oberon Media
2007-04-08 22:03:48   --------   d-----w   C:\Program Files\BFG
2007-03-17 13:43:01   292,864   ----a-w   C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28   577,536   ----a-w   C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28   40,960   ----a-w   C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28   281,600   ----a-w   C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48   1,843,584   ----a-w   C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-14 23:47]
{08C134D3-087C-4139-A98C-3A078358DFDE}=C:\WINDOWS\system32\byxurrr.dll [2007-06-06 16:28]
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}=C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL [2006-11-07 14:21]
{58CAD45F-1435-432C-3ABC-6E148B3BE658}=C:\Program Files\Windows Media Player\lavufaw.dll []
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-01-06 11:52]
{6F282B65-56BF-4BD1-A8B2-A4449A05863D}=C:\Program Files\GamesBar\oberontb.dll [2006-07-06 14:54]
{7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED}=C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll [2006-01-19 18:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{B12B391A-A0A7-FB27-D97F-89ADA897299D}=C:\WINDOWS\system32\dakv.dll []
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 15:04]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\xanjvlym.dll [2007-06-07 16:46]
{F1CEB0E0-FB0E-4F79-8019-3031A22FCF7D}=C:\Program Files\WindowsUpdate\hokel.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 12:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-21 11:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08C134D3-087C-4139-A98C-3A078358DFDE}"="C:\WINDOWS\system32\byxurrr.dll" [2007-06-06 16:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxurrr]
byxurrr.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AOL"=C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe /d locale=en-US ee://aol/browserapp
"Crao"="C:\WINDOWS\system32\CROSOF~1.NET\dexplore.exe" -vt yazb
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" /AUTO
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Program Files\Common Files\AOL\1152373256\ee\AOLSoftware.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"tgcmd"=C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"runner1"=C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
"VTPreset"=VTPreset.exe
"Configuration Manager"=C:\WINDOWS\cfg32.exe
"oaftrobA"=C:\WINDOWS\oaftrobA.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-06-08 22:15:00  C:\WINDOWS\tasks\1-Click Maintenance.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 19:47:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 19:48:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-08 19:48

   --- E O F ---

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My log from ComboFix, what I do?
« Reply #3 on: June 09, 2007, 12:15:06 PM »
Hi Haydee looking at the log now.  For Hijackthis see below


* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My log from ComboFix, what I do?
« Reply #4 on: June 09, 2007, 12:23:47 PM »
Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\xanjvlym.dll
C:\UWA7P
C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\WINDOWS\system32\itidslmy.exe
C:\WINDOWS\system32\kyhbmcpi.dll
C:\WINDOWS\system32\opnmnmm.dll
C:\WINDOWS\system32\nqquvbep.dll
C:\WINDOWS\system32\wcpisvit.exe
C:\WINDOWS\oaftrobA.exe
C:\WINDOWS\oaftrob.exe
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\byxurrr.dll
C:\Temp\x2b
C:\WINDOWS\system32\T1QaSQ


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


I will now wait for your Hijackthis log before proceeding

haydee

  • Guest
Re: My log from ComboFix, what I do?
« Reply #5 on: June 09, 2007, 03:51:50 PM »
THANKS A LOT! HERE IS THE LOG.

Logfile of HijackThis v1.99.1
Scan saved at 9:48:55 AM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1152373256\ee\aolsoftware.exe
c:\program files\common files\aol\1152373256\ee\aexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SE/1?http://toolbar.msn.com/installsuccess.aspx&&FORM=TOOLBR&DI=2883&CM=MsgrInstall
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) -  - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\xdhfuohf.dll",realset
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154116431296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154448063656
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5E6B29-A553-4AC4-B600-CC7163D8A16A}: NameServer = 85.255.115.99,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BC450B-465B-4BD1-8A55-F3375020F1A7}: NameServer = 85.255.115.99,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.99 85.255.112.90
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


haydee

  • Guest
Re: My log from ComboFix, what I do?
« Reply #6 on: June 09, 2007, 05:39:34 PM »
Results of the OTMoveIt

This is what I got but it asked me to reboot and I did it.
Then I ran it again (pasting the log you sent me again)
and it keeps on asking me to reboot.
Should I paste the results on the move it side and do it again?

File/Folder C:\WINDOWS\system32\xanjvlym.dll not found.
File/Folder C:\UWA7P not found.
File/Folder C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\WinAntiVirus Pro 2007 not found.
File/Folder C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor not found.
File/Folder C:\Program Files\Common Files\WinAntiVirus Pro 2007 not found.
File/Folder C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007 not found.
File/Folder C:\WINDOWS\system32\itidslmy.exe not found.
File/Folder C:\WINDOWS\system32\kyhbmcpi.dll not found.
File/Folder C:\WINDOWS\system32\opnmnmm.dll not found.
File/Folder C:\WINDOWS\system32\nqquvbep.dll not found.
File/Folder C:\WINDOWS\system32\wcpisvit.exe not found.
File/Folder C:\WINDOWS\oaftrobA.exe not found.
File/Folder C:\WINDOWS\oaftrob.exe not found.
File/Folder C:\WINDOWS\system32\TQ0 not found.
File/Folder C:\WINDOWS\system32\T6 not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\byxurrr.dll
C:\WINDOWS\system32\byxurrr.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\byxurrr.dll scheduled to be moved on reboot.
File/Folder C:\Temp\x2b not found.
File/Folder C:\WINDOWS\system32\T1QaSQ not found.
File/Folder  not found.
 
Created on 06/09/2007 11:32:25

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My log from ComboFix, what I do?
« Reply #7 on: June 09, 2007, 06:55:21 PM »
Hmmm a nice little menagerie here so to work : I would recommend that you copy this post to a text file as at times you will be off line And no OTMoveit got them the first time, once it has rebooted you are done

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
 If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please save the text that will open (report.txt)

_______________________________________

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below. (some may no longer be present)

R3 - URLSearchHook: (no name) -  - (no file)
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\xdhfuohf.dll",realset
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5E6B29-A553-4AC4-B600-CC7163D8A16A}: NameServer = 85.255.115.99,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BC450B-465B-4BD1-8A55-F3375020F1A7}: NameServer = 85.255.115.99,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.99 85.255.112.90

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.

_____________________________________

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\GamesBar
C:\WINDOWS\system32\xdhfuohf.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

____________________________________

And the deep digger for the files hiding :

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

A lot of work but trust me it will be worth it

Logs required are : Report.txt, OTMoveit and Winpfind

haydee

  • Guest
Re: My log from ComboFix, what I do?
« Reply #8 on: June 09, 2007, 10:05:07 PM »
Hi, thanks a million
 I'm working on this. I have done everything up to this part.
Quote
Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Close ALL OTHER PROGRAMS.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

Now click the Run Scan button on the toolbar.

Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
I downloaded the WinPFind3u but when I clicked on "Run"  the word scan is not
anywhere. Immediately after I click Run a small window appears . This is what
it says; Zip Central Self Extracting Archive (Freeware) .
Extract to C:\Documents and settings\Rosa Alonso.COQUI\Desktop
WinPFind3u/MovedFiles/
WinPFind3u/patterns.txt
WinPFind3u/Plugins/
WinPFind3u/WinPFind3U.exe
Then it gives three options ( Extract, Close, About..)
Below it says : Existing Files  Comfirm overwrite,  Don't overwrite, Overwrite

I don't know what to do .

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My log from ComboFix, what I do?
« Reply #9 on: June 09, 2007, 11:16:24 PM »
Ok just go extract and the files will be extracted to a folder on your desktop called winpfind3u the winpfind.exe file will be in there.  I must make that clearer in my canned fix, thank you for bringing it to my attention 

haydee

  • Guest
Re: My log from ComboFix, what I do?
« Reply #10 on: June 10, 2007, 12:40:32 AM »
Then it gives three options ( Extract, Close, About..)
Below it says : Existing Files  Comfirm overwrite,  Don't overwrite, Overwrite
Quote

It has selected Comfirm Overwrite by itself.
Is that ok, or should I select  Don't overwrite or Overwrite?

Cause this is what happended.
I opened the folder That appeared at my desktop. It says at the top WinFind3U by Oldtimer-Version 1.0.38
and it contains 4 more things in it.
1.patterns
2. Moved Files
3. Plugins
4. WinPFind3U

I opened WinPFind3U and it appeared a big square where it says on the left side
Run scan

Basic Scan Options

Processes  none  .non-microsoft    all

Win32Services
none     .non-microsoft      all

Driver Services
.none       non-microsoft      all

Registry
none        .non-microsoft      all

Files/folders Create within
none       .30 Days       60 Days     90 Days


On the right side  Run Fix

Paste fix here

Then In the middle of this it says Additional Scans

(checked) Non-Microsoft Only  Sellect All Unselect All

Here then there is a list that I can't copy but I will write some.
They have a tiny square to the side to select or unselect.

Reg-Activex StubPath
Reg-Approved Shell Extention
Reg- BotCheck'Reg-ColumnHandlers

and so on

haydee ( so much greatful for your help)

haydee

  • Guest
Re: My log from ComboFix, what I do?
« Reply #11 on: June 10, 2007, 01:10:55 AM »
I opened Patterns and i got this;

Patterns notepad

UPX!
FSG!
PEC2
PECompact2
Umonitor
qoologic
aspack
PTech
urllogic
ad-beh
ad-behNior.com
sYVLLSAKY
_rtneg3
SAHAgent
buddy.exe
ZepMon
aurora.exe
;2x(V]@BMD
Tlji7Mk
urllogic
KavSvc
69.59.186.63
209.66.67.134
66.63.167.97
66.63.167.77
abetterinternet.com
8B!7F\(T
testpopup
web-nex
yourkey
winsync
rec2_run
WinShutDown
ad-w-a-r-e.com
WSUD
Call (RPC) Help
lightspeedsarch
NIWU.UWIN
UpackByDwing
MZKERNEL32.DLL
UPX0
nspack$
Win32 only!
Thawte Consulting
USERTRUST
CNNIC

Move Files and Plug ins are in blank

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My log from ComboFix, what I do?
« Reply #12 on: June 10, 2007, 12:52:18 PM »
This is the file to select
This is the button to press

haydee

  • Guest
Re: My log from ComboFix, what I do?
« Reply #13 on: June 10, 2007, 09:21:23 PM »
essexboy

Since this is my daughter computer and it is in her room, I have had a lot of interruptions doing this and I have lost track. I'm not 20 yo anymore.
Ok here I'm sending the Combo Fix June 8
"Rosa Alonso" - 2007-06-08 18:55:43    Service Pack 2  NTFS 
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Rosa Alonso.COQUI\Desktop\"


((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.tmp
C:\WINDOWS\system32\vtutr.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\DOCUME~1\ROSAAL~1.COQ\MYDOCU~1\CROSOF~1.NET
C:\DOCUME~1\ROSAAL~1.COQ\STARTM~1\Programs.\PornoPlayer
C:\DOCUME~1\ROSAAL~1.COQ\STARTM~1\Programs.\PornoPlayer\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\0b9
C:\Temp\0b9\tmpTF.logHiJackthis log
C:\Temp\tn3
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\system32\CROSOF~1.NET
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\kdaql.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\wr.txt


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent
-------\Windows Overlay Components


(((((((((((((((((((((((((   Files Created from 2007-05-08 to 2007-06-08  )))))))))))))))))))))))))))))))


2007-06-07 21:07   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-07 16:46   58,420   --a------   C:\WINDOWS\system32\xanjvlym.dll
2007-06-06 20:46   94,424   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 20:46   90,112   --a------   C:\WINDOWS\system32\AVASTSS.scr
2007-06-06 20:46   85,952   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 20:46   689,280   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-06-06 20:46   43,176   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-06 20:46   31,560   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-06 20:46   23,352   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-06 16:51   <DIR>   d--hsc---   C:\UWA7P
2007-06-06 16:49   <DIR>   d--------   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\WinAntiVirus Pro 2007
2007-06-06 16:48   <DIR>   dr-------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-06 16:46   89,088   --a------   C:\WINDOWS\system32\atl71.dll
2007-06-06 16:46   8,704   --a------   C:\WINDOWS\system32\SpOrder.dll
2007-06-06 16:46   24,064   --a------   C:\WINDOWS\system32\msxml3a.dll
2007-06-06 16:46   <DIR>   d--------   C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-06-06 16:46   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-06 16:45   2,580   --a------   C:\WINDOWS\system32\itidslmy.exe
2007-06-06 16:42   131,124   --a------   C:\WINDOWS\system32\kyhbmcpi.dll
2007-06-06 16:41   33,302   --a------   C:\WINDOWS\system32\opnmnmm.dll
2007-06-06 16:40   55,316   --a------   C:\WINDOWS\system32\nqquvbep.dll
2007-06-06 16:31   2   --a------   C:\WINDOWS\system32\wcpisvit.exe
2007-06-06 16:30   771,920   -r-hs----   C:\WINDOWS\oaftrobA.exe
2007-06-06 16:30   46,592   --a------   C:\WINDOWS\oaftrob.exe
2007-06-06 16:29   <DIR>   d--------   C:\WINDOWS\system32\TQ0
2007-06-06 16:29   <DIR>   d--------   C:\WINDOWS\system32\T6
2007-06-06 16:28   33,302   --a------   C:\WINDOWS\system32\byxurrr.dll
2007-06-06 16:28   <DIR>   d----c---   C:\Temp\x2b
2007-06-06 16:28   <DIR>   d----c---   C:\Temp
2007-06-06 16:28   <DIR>   d--------   C:\WINDOWS\system32\T1QaSQ
2007-05-22 09:24   <DIR>   d--------   C:\Program Files\GamesBar
2007-05-22 09:24   <DIR>   d--------   C:\Program Files\Comcast Play Games
2007-05-22 09:24   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tarma Installer
2007-05-22 09:24   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\GamesBar
2007-05-18 17:51   <DIR>   d--------   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\Talkback
2007-05-15 17:50   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-15 17:38   <DIR>   d--------   C:\Program Files\CCleaner
2007-05-15 15:13   29,704   --a------   C:\WINDOWS\system32\uxtuneup.dll
2007-05-15 15:13   <DIR>   d--------   C:\Program Files\TuneUp Utilities 2007
2007-05-15 15:13   <DIR>   d--------   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\TuneUp Software
2007-05-15 15:12   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-05-15 15:12   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-05-09 21:22   59,264   --a------   C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-05-09 21:13   <DIR>   d--------   C:\Program Files\Common Files\logishrd
2007-05-09 21:11   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-08 17:17   <DIR>   d--------   C:\Program Files\Alwil Software
2007-05-08 17:04   <DIR>   d--------   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\Sammsoft
2007-05-08 14:50   <DIR>   d--------   C:\Program Files\RegistryPatrol3.0
2007-05-08 14:26   <DIR>   d--------   C:\Program Files\XPMedic


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-08 02:12:46   --------   d--h--w   C:\Program Files\WindowsUpdate
2007-06-06 21:22:02   --------   d-----w   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\ComcastToolbar
2007-05-15 22:38:49   --------   d-----w   C:\Program Files\Yahoo!
2007-05-15 20:23:40   --------   d-----w   C:\Program Files\RamBooster 2.0
2007-05-09 21:05:02   --------   d-----w   C:\DOCUME~1\ROSAAL~1.COQ\APPLIC~1\Yahoo!
2007-05-09 18:57:40   --------   d-----w   C:\Program Files\The Rise Of Atlantis
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-18 12:35:55   --------   d-----w   C:\Program Files\ComcastToolbar
2007-04-17 03:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-04-17 03:44:20   271,224   ----a-w   C:\WINDOWS\system32\mucltui.dll
2007-04-17 03:44:18   208,248   ----a-w   C:\WINDOWS\system32\muweb.dll
2007-04-10 13:27:32   --------   d-----w   C:\Program Files\Common Files\InstallShield
2007-04-10 13:27:13   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-10 13:10:54   --------   d-----w   C:\Program Files\iWin Games
2007-04-09 15:52:50   --------   d-----w   C:\Program Files\iWin.com
2007-04-09 13:26:11   --------   d-----w   C:\Program Files\Oberon Media
2007-04-08 22:03:48   --------   d-----w   C:\Program Files\BFG
2007-03-17 13:43:01   292,864   ----a-w   C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28   577,536   ----a-w   C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28   40,960   ----a-w   C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28   281,600   ----a-w   C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48   1,843,584   ----a-w   C:\WINDOWS\system32\win32k.sys


haydee

  • Guest
Re: My log from ComboFix, what I do?
« Reply #14 on: June 10, 2007, 09:22:28 PM »
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-14 23:47]
{08C134D3-087C-4139-A98C-3A078358DFDE}=C:\WINDOWS\system32\byxurrr.dll [2007-06-06 16:28]
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}=C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL [2006-11-07 14:21]
{58CAD45F-1435-432C-3ABC-6E148B3BE658}=C:\Program Files\Windows Media Player\lavufaw.dll []
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-01-06 11:52]
{6F282B65-56BF-4BD1-A8B2-A4449A05863D}=C:\Program Files\GamesBar\oberontb.dll [2006-07-06 14:54]
{7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED}=C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll [2006-01-19 18:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{B12B391A-A0A7-FB27-D97F-89ADA897299D}=C:\WINDOWS\system32\dakv.dll []
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 15:04]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\xanjvlym.dll [2007-06-07 16:46]
{F1CEB0E0-FB0E-4F79-8019-3031A22FCF7D}=C:\Program Files\WindowsUpdate\hokel.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 12:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-21 11:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08C134D3-087C-4139-A98C-3A078358DFDE}"="C:\WINDOWS\system32\byxurrr.dll" [2007-06-06 16:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxurrr]
byxurrr.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AOL"=C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe /d locale=en-US ee://aol/browserapp
"Crao"="C:\WINDOWS\system32\CROSOF~1.NET\dexplore.exe" -vt yazb
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" /AUTO
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Program Files\Common Files\AOL\1152373256\ee\AOLSoftware.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"tgcmd"=C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"runner1"=C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
"VTPreset"=VTPreset.exe
"Configuration Manager"=C:\WINDOWS\cfg32.exe
"oaftrobA"=C:\WINDOWS\oaftrobA.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-06-08 22:15:00  C:\WINDOWS\tasks\1-Click Maintenance.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 19:47:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 19:48:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-08 19:48

   --- E O F ---