Author Topic: virues infection win32 Trojan1165(trj)  (Read 118349 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: virues infection win32 Trojon1165(trj)
« Reply #15 on: November 21, 2007, 07:40:42 AM »
I should have mentioned the link for the programs I asked you to download are the names of the programs in my post. so you may want to download them now. TIP download them to your desktop, easy to find there.  8)

glad to hear you printed out the instructions, smart.


Online DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89439
  • No support PMs thanks
Re: virues infection win32 Trojon1165(trj)
« Reply #16 on: November 21, 2007, 03:12:28 PM »
@ honeyk
Quote from: honeyk
I was using CAinternet security 2007, which iwas advised to buy when i got my system.But since ive had all these dramas, and with everyone who i spoke to about my computer seem to think they know what their doing, one girl turned it off saying i didnt need it. Something to do with having service pack 2.

I don't want to complicate things for you as oldman having seen your HJT log suspects Vundo and has suggested tools to try and resolve this, so all I will mention is the firewall issue.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo Firewall, PCTools Firewall Plus, Jetico, etc.

With XP SP2 you have the windows XP firewall by default I don't know if you have that enabled, if not that should be your minimum level of protection. When you start to see results in the cleaning of your system that would be a good time to look at a better firewall.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: virues infection win32 Trojon1165(trj)
« Reply #17 on: November 22, 2007, 05:16:32 AM »
Hi

I've seen you pop in and out a couple of times. Are you having problems or have any questions? Don't hesitate to ask.

honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #18 on: November 22, 2007, 10:53:06 AM »
Hi Oldman, To be honest with you, yes and no in response to if I'm having problems. But as for in and out,I've started my response to you a few times and have been interrupted and when returning to my PC, it has either lost It's screen and i cant recover it, or while trying to hurry my PC into responding to my request, I've closed this screen and lost my post. And yes I've had a few problems with your instructions, but only caused by my impatientness.
I ran the SAS scan, but after about 2hrs, i done a really Dumb thing and opened something else and froze my PC and lost my results. So all i can tell you about it is, last i saw there was 278 viruses detected. I did ran the scan again, twice. With the results being nothing detected.
I also ran the DSS scan, with the results attached. I hope you might be able to tell me good news, and not bad. :(
I have to say with the few problems with freezing etc., my daughter came over today, and while we were looking something up on the net, she said "This is the best I've seen your PC running in ages!" And it is true, it hasn't been crashing as much, but its still slow.
I am still having a alert coming up all the time for a Trojan horse. When I try to delete it, or do anything with it, it keeps coming back. I comes up Can not process c1\windows\system321qdfissjjdll\(Morphine)'file.I am having trouble with my notepad attachments so I'm sending this part first. So expect my notepad results yet. Just so I don't lose what I've already written again. Thanks Honeyk :-*

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: virues infection win32 Trojon1165(trj)
« Reply #19 on: November 22, 2007, 02:46:53 PM »
HI

It sound like SAS removed some of it.

It sounds like you have a plan for attaching notepads to your posts. Good. Make your post ahead of time in note pad and save them to your desktop, again easy to find there.  ;)

If the post fails, you will at least have your original copy to try again.

I'm not sure if the DSS logs where supposed to be attached to this post or not

Quote
also ran the DSS scan, with the results attached. I hope you might be able to tell me good news, and not bad

There is nothing attached. Or where you attaching them later?

Quote
I am having trouble with my notepad attachments so I'm sending this part first. So expect my notepad results yet. Just so I don't lose what I've already written again.

Once you get the DSS logs posted we can start removing the rest.

The SAS logs are under stats and logs.

Open SAS, click prefences, click on the stats and logs tab. I don't know if one would have been created but you can check.

I'll check in during the day when I can. {work)  ;)
« Last Edit: November 22, 2007, 07:01:03 PM by oldman »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: virues infection win32 Trojon1165(trj)
« Reply #20 on: November 22, 2007, 09:23:39 PM »
If you still can't get the DSS logs posted, we can perk your computer up a bit more. I was going to get you to download and run this program anyway. I just didn't want ot throw too much at you at once. You seem to be about caught, we might as well go forward.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and the DSS log along with a new HJT
     log in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


This scan is fairly quick, just let it finish. Don't panic or rush yourself.


edit to add:

What issues are you having with notepad?
« Last Edit: November 22, 2007, 10:47:13 PM by oldman »

honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #21 on: November 23, 2007, 08:38:15 AM »
Oldman see attachments. Honeyk :-*ComboFix 07-11-19.3 - user 2007-11-23 16:48:01.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.114 [GMT 10.5:30]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
 * Created a new restore point
.

   Unable to gain System Privileges

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\user\Application Data\FunWebProducts
C:\Documents and Settings\user\Application Data\inst.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\FunWebProducts\ScreenSaver\Cache\00B9C148.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Cache\files.ini
C:\Program Files\FunWebProducts\ScreenSaver\Images\002FD08A.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00B9B3BB.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00BA5115.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\00BC392E.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\00C49F63.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\00BA5115.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\00BC392E.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\00C49F63.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\f3wallpp.bmp
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MySignatureInsertBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MySignaturePreviewBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn-new.htmlx
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\4.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\4.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\4.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\4.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\4.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\4.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\4.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\4.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\4.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\4.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\0002C7DA
C:\Program Files\MyWebSearch\bar\Cache\0002E0C1
C:\Program Files\MyWebSearch\bar\Cache\0002E9AA
C:\Program Files\MyWebSearch\bar\Cache\0005A09C
C:\Program Files\MyWebSearch\bar\Cache\0005D72D.bin
C:\Program Files\MyWebSearch\bar\Cache\000645F5.bin
C:\Program Files\MyWebSearch\bar\Cache\00066033.bin
C:\Program Files\MyWebSearch\bar\Cache\0006837B.bin
C:\Program Files\MyWebSearch\bar\Cache\000B2A37
C:\Program Files\MyWebSearch\bar\Cache\000CAD1E.XYw
C:\Program Files\MyWebSearch\bar\Cache\000CD7E7
C:\Program Files\MyWebSearch\bar\Cache\000CDFA7.bin
C:\Program Files\MyWebSearch\bar\Cache\000D0753.bin
C:\Program Files\MyWebSearch\bar\Cache\000D1D9A.bin
C:\Program Files\MyWebSearch\bar\Cache\000D2933.bin
C:\Program Files\MyWebSearch\bar\Cache\00136351.bin
C:\Program Files\MyWebSearch\bar\Cache\0013953E.bin
C:\Program Files\MyWebSearch\bar\Cache\0013A2DB.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\network monitor
C:\Program Files\outlook
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c0013DB0.dat
C:\WINDOWS\system32\__c0014EB6.dat
C:\WINDOWS\system32\__c00162D1.dat
C:\WINDOWS\system32\__c0017B80.dat
C:\WINDOWS\system32\__c001A09F.dat
C:\WINDOWS\system32\__c001E8FA.dat
C:\WINDOWS\system32\__c001F66C.dat
C:\WINDOWS\system32\__c0027B18.dat
C:\WINDOWS\system32\__c002A45A.dat
C:\WINDOWS\system32\__c002A511.dat
C:\WINDOWS\system32\__c002BC9C.dat
C:\WINDOWS\system32\__c002FA59.dat
C:\WINDOWS\system32\__c0033C5D.dat
C:\WINDOWS\system32\__c003440F.dat
C:\WINDOWS\system32\__c0036621.dat
C:\WINDOWS\system32\__c0036F07.dat
C:\WINDOWS\system32\__c0039FA9.dat
C:\WINDOWS\system32\__c0040861.dat
C:\WINDOWS\system32\__c0040ED9.dat
C:\WINDOWS\system32\__c004CB45.dat
C:\WINDOWS\system32\__c005349E.dat
C:\WINDOWS\system32\__c0056481.dat
C:\WINDOWS\system32\__c005A28.dat
C:\WINDOWS\system32\__c005B19A.dat
C:\WINDOWS\system32\__c005BC90.dat
C:\WINDOWS\system32\__c005C1B7.dat
C:\
« Last Edit: November 23, 2007, 09:03:56 AM by honeyk »

honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #22 on: November 23, 2007, 09:32:03 AM »
C:\WINDOWS\system32\__c006047A.dat
C:\WINDOWS\system32\__c0062168.dat
C:\WINDOWS\system32\__c0063084.dat
C:\WINDOWS\system32\__c006415C.dat
C:\WINDOWS\system32\__c0064184.dat
C:\WINDOWS\system32\__c0064A19.dat
C:\WINDOWS\system32\__c006F444.dat
C:\WINDOWS\system32\__c00702D4.dat
C:\WINDOWS\system32\__c0071610.dat
C:\WINDOWS\system32\__c0074039.dat
C:\WINDOWS\system32\__c007812B.dat
C:\WINDOWS\system32\__c007833A.dat
C:\WINDOWS\system32\__c0078802.dat
C:\WINDOWS\system32\__c007E241.dat
C:\WINDOWS\system32\__c00886CF.dat
C:\WINDOWS\system32\__c0088AA.dat
C:\WINDOWS\system32\__c008BC8C.dat
C:\WINDOWS\system32\__c008BC9A.dat
C:\WINDOWS\system32\__c008C3C1.dat
C:\WINDOWS\system32\__c008DA17.dat
C:\WINDOWS\system32\__c008DE32.dat
C:\WINDOWS\system32\__c008F42D.dat
C:\WINDOWS\system32\__c0095774.dat
C:\WINDOWS\system32\__c0095C3A.dat
C:\WINDOWS\system32\__c009655E.dat
C:\WINDOWS\system32\__c0098610.dat
C:\WINDOWS\system32\__c009A1B9.dat
C:\WINDOWS\system32\__c009AC5D.dat
C:\WINDOWS\system32\__c009AED3.dat
C:\WINDOWS\system32\__c009E419.dat
C:\WINDOWS\system32\__c00A2CAC.dat
C:\WINDOWS\system32\__c00A3586.dat
C:\WINDOWS\system32\__c00A53EE.dat
C:\WINDOWS\system32\__c00A6D76.dat
C:\WINDOWS\system32\__c00A7359.dat
C:\WINDOWS\system32\__c00A91BC.dat
C:\WINDOWS\system32\__c00AC900.dat
C:\WINDOWS\system32\__c00AF6E9.dat
C:\WINDOWS\system32\__c00B0AE2.dat
C:\WINDOWS\system32\__c00B3E59.dat
C:\WINDOWS\system32\__c00B5900.dat
C:\WINDOWS\system32\__c00C04AC.dat
C:\WINDOWS\system32\__c00C94F9.dat
C:\WINDOWS\system32\__c00C9B19.dat
C:\WINDOWS\system32\__c00D0C91.dat
C:\WINDOWS\system32\__c00D2F6A.dat
C:\WINDOWS\system32\__c00D4C1A.dat
C:\WINDOWS\system32\__c00DACCE.dat
C:\WINDOWS\system32\__c00DB100.dat
C:\WINDOWS\system32\__c00DFB31.dat
C:\WINDOWS\system32\__c00E3155.dat
C:\WINDOWS\system32\__c00E3354.dat
C:\WINDOWS\system32\__c00E6936.dat
C:\WINDOWS\system32\__c00E9531.dat
C:\WINDOWS\system32\__c00EEFD9.dat
C:\WINDOWS\system32\__c00F4F1E.dat
C:\WINDOWS\system32\__c00F5844.dat
C:\WINDOWS\system32\__c00F6F5C.dat
C:\WINDOWS\system32\__c00FC1A5.dat
C:\WINDOWS\system32\akrddgak.dll
C:\WINDOWS\system32\app.exe
C:\WINDOWS\system32\arvgxvfc.dll
C:\WINDOWS\system32\asrbmvae.dll
C:\WINDOWS\system32\aucnqwob.dll
C:\WINDOWS\system32\aukkmnte.dll
C:\WINDOWS\system32\bcrsrxql.dll
C:\WINDOWS\system32\bnlaujrt.dll
C:\WINDOWS\system32\busgbgmk.dll
C:\WINDOWS\system32\ccjvxcqt.dll
C:\WINDOWS\system32\cdcruvoj.dll
C:\WINDOWS\system32\cdmiayqn.dll
C:\WINDOWS\system32\ceptjhtm.dll
C:\WINDOWS\system32\clfblsor.dll
C:\WINDOWS\system32\cooaltgt.dll
C:\WINDOWS\system32\ctpndxyj.dll
C:\WINDOWS\system32\cuqubdhw.dll
C:\WINDOWS\system32\cygnjnvr.dll
C:\WINDOWS\system32\dgoewxxa.dll
C:\WINDOWS\system32\dkcaxvco.dll
C:\WINDOWS\system32\dksqgqrd.dll
C:\WINDOWS\system32\dmtyqfan.dll
C:\WINDOWS\system32\dnedkajb.dll
C:\WINDOWS\system32\dnrbqeql.dll
C:\WINDOWS\system32\drshrykn.dll
C:\WINDOWS\system32\dtncyxbq.dll
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\edeeg.tmp
C:\WINDOWS\system32\ejqavcmp.dll
C:\WINDOWS\system32\ekvgbjkl.dll
C:\WINDOWS\system32\etijjawr.dll
C:\WINDOWS\system32\eucxesei.dll
C:\WINDOWS\system32\exqmifsi.dll
C:\WINDOWS\system32\exuwommr.dll
C:\WINDOWS\system32\eyiailei.dll
C:\WINDOWS\system32\fbbfiuwj.dll
C:\WINDOWS\system32\fcinhmtd.dll
C:\WINDOWS\system32\fknnfjma.dll
C:\WINDOWS\system32\fmhvjddd.dll
C:\WINDOWS\system32\ftdyeolt.exe
C:\WINDOWS\system32\g34
C:\WINDOWS\system32\gaaqxyhh.ini
C:\WINDOWS\system32\gcxjvkdb.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\ghykpsua.dll
C:\WINDOWS\system32\gixqrvgf.dll
C:\WINDOWS\system32\gkwbmjvf.dll
C:\WINDOWS\system32\gvogdufb.dll
C:\WINDOWS\system32\hbwmuwkr.dll
C:\WINDOWS\system32\hcxnemgl.dll
C:\WINDOWS\system32\hhyxqaag.dll
C:\WINDOWS\system32\hohpiygj.dll
C:\WINDOWS\system32\hvlbpurl.dll
C:\WINDOWS\system32\iaimkwef.dll
C:\WINDOWS\system32\ihxxxpmc.dll
C:\WINDOWS\system32\intrprng.dll
C:\WINDOWS\system32\inxfmctc.dll
C:\WINDOWS\system32\iqeewekd.dll
C:\WINDOWS\system32\iqxuhart.dll
C:\WINDOWS\system32\issyqsrv.dll
C:\WINDOWS\system32\iudfmvmo.dll
C:\WINDOWS\system32\iurikdui.dll
C:\WINDOWS\system32\iwaeucwh.dll
C:\WINDOWS\system32\iwiytoxv.dll
C:\WINDOWS\system32\jiwedbvv.dll
C:\WINDOWS\system32\jmicxjqk.dll
C:\WINDOWS\system32\jusawcmg.dll
C:\WINDOWS\system32\jyrekemn.dll
C:\WINDOWS\system32\kaffrcgo.dll
C:\WINDOWS\system32\kgveoavl.dll
C:\WINDOWS\system32\kiynkjjm.dll
C:\WINDOWS\system32\krvvabee.dll
C:\WINDOWS\system32\krwfqydw.dll
C:\WINDOWS\system32\ktlfisly.dll
C:\WINDOWS\system32\kuirmmff.dll
C:\WINDOWS\system32\kyrinjdr.dll
C:\WINDOWS\system32\lwpkebcv.dll
C:\WINDOWS\system32\lwxrgkdh.dll
C:\WINDOWS\system32\lymdwdyi.dll
C:\WINDOWS\system32\mbkputod.dll
C:\WINDOWS\system32\mkchdcjl.dll
C:\WINDOWS\system32\mlxwnqbl.dll
C:\WINDOWS\system32\mvawhlur.dll
C:\WINDOWS\system32\neggrjvr.dll
C:\WINDOWS\system32\npceexlv.dll
C:\WINDOWS\system32\nqqfkfek.dll
C:\WINDOWS\system32\nqtwa.bak1

honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #23 on: November 23, 2007, 09:33:31 AM »
C:\WINDOWS\system32\__c006047A.dat
C:\WINDOWS\system32\__c0062168.dat
C:\WINDOWS\system32\__c0063084.dat
C:\WINDOWS\system32\__c006415C.dat
C:\WINDOWS\system32\__c0064184.dat
C:\WINDOWS\system32\__c0064A19.dat
C:\WINDOWS\system32\__c006F444.dat
C:\WINDOWS\system32\__c00702D4.dat
C:\WINDOWS\system32\__c0071610.dat
C:\WINDOWS\system32\__c0074039.dat
C:\WINDOWS\system32\__c007812B.dat
C:\WINDOWS\system32\__c007833A.dat
C:\WINDOWS\system32\__c0078802.dat
C:\WINDOWS\system32\__c007E241.dat
C:\WINDOWS\system32\__c00886CF.dat
C:\WINDOWS\system32\__c0088AA.dat
C:\WINDOWS\system32\__c008BC8C.dat
C:\WINDOWS\system32\__c008BC9A.dat
C:\WINDOWS\system32\__c008C3C1.dat
C:\WINDOWS\system32\__c008DA17.dat
C:\WINDOWS\system32\__c008DE32.dat
C:\WINDOWS\system32\__c008F42D.dat
C:\WINDOWS\system32\__c0095774.dat
C:\WINDOWS\system32\__c0095C3A.dat
C:\WINDOWS\system32\__c009655E.dat
C:\WINDOWS\system32\__c0098610.dat
C:\WINDOWS\system32\__c009A1B9.dat
C:\WINDOWS\system32\__c009AC5D.dat
C:\WINDOWS\system32\__c009AED3.dat
C:\WINDOWS\system32\__c009E419.dat
C:\WINDOWS\system32\__c00A2CAC.dat
C:\WINDOWS\system32\__c00A3586.dat
C:\WINDOWS\system32\__c00A53EE.dat
C:\WINDOWS\system32\__c00A6D76.dat
C:\WINDOWS\system32\__c00A7359.dat
C:\WINDOWS\system32\__c00A91BC.dat
C:\WINDOWS\system32\__c00AC900.dat
C:\WINDOWS\system32\__c00AF6E9.dat
C:\WINDOWS\system32\__c00B0AE2.dat
C:\WINDOWS\system32\__c00B3E59.dat
C:\WINDOWS\system32\__c00B5900.dat
C:\WINDOWS\system32\__c00C04AC.dat
C:\WINDOWS\system32\__c00C94F9.dat
C:\WINDOWS\system32\__c00C9B19.dat
C:\WINDOWS\system32\__c00D0C91.dat
C:\WINDOWS\system32\__c00D2F6A.dat
C:\WINDOWS\system32\__c00D4C1A.dat
C:\WINDOWS\system32\__c00DACCE.dat
C:\WINDOWS\system32\__c00DB100.dat
C:\WINDOWS\system32\__c00DFB31.dat
C:\WINDOWS\system32\__c00E3155.dat
C:\WINDOWS\system32\__c00E3354.dat
C:\WINDOWS\system32\__c00E6936.dat
C:\WINDOWS\system32\__c00E9531.dat
C:\WINDOWS\system32\__c00EEFD9.dat
C:\WINDOWS\system32\__c00F4F1E.dat
C:\WINDOWS\system32\__c00F5844.dat
C:\WINDOWS\system32\__c00F6F5C.dat
C:\WINDOWS\system32\__c00FC1A5.dat
C:\WINDOWS\system32\akrddgak.dll
C:\WINDOWS\system32\app.exe
C:\WINDOWS\system32\arvgxvfc.dll
C:\WINDOWS\system32\asrbmvae.dll
C:\WINDOWS\system32\aucnqwob.dll
C:\WINDOWS\system32\aukkmnte.dll
C:\WINDOWS\system32\bcrsrxql.dll
C:\WINDOWS\system32\bnlaujrt.dll
C:\WINDOWS\system32\busgbgmk.dll
C:\WINDOWS\system32\ccjvxcqt.dll
C:\WINDOWS\system32\cdcruvoj.dll
C:\WINDOWS\system32\cdmiayqn.dll
C:\WINDOWS\system32\ceptjhtm.dll
C:\WINDOWS\system32\clfblsor.dll
C:\WINDOWS\system32\cooaltgt.dll
C:\WINDOWS\system32\ctpndxyj.dll
C:\WINDOWS\system32\cuqubdhw.dll
C:\WINDOWS\system32\cygnjnvr.dll
C:\WINDOWS\system32\dgoewxxa.dll
C:\WINDOWS\system32\dkcaxvco.dll
C:\WINDOWS\system32\dksqgqrd.dll
C:\WINDOWS\system32\dmtyqfan.dll
C:\WINDOWS\system32\dnedkajb.dll
C:\WINDOWS\system32\dnrbqeql.dll
C:\WINDOWS\system32\drshrykn.dll
C:\WINDOWS\system32\dtncyxbq.dll
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\edeeg.tmp
C:\WINDOWS\system32\ejqavcmp.dll
C:\WINDOWS\system32\ekvgbjkl.dll
C:\WINDOWS\system32\etijjawr.dll
C:\WINDOWS\system32\eucxesei.dll
C:\WINDOWS\system32\exqmifsi.dll
C:\WINDOWS\system32\exuwommr.dll
C:\WINDOWS\system32\eyiailei.dll
C:\WINDOWS\system32\fbbfiuwj.dll
C:\WINDOWS\system32\fcinhmtd.dll
C:\WINDOWS\system32\fknnfjma.dll
C:\WINDOWS\system32\fmhvjddd.dll
C:\WINDOWS\system32\ftdyeolt.exe
C:\WINDOWS\system32\g34
C:\WINDOWS\system32\gaaqxyhh.ini
C:\WINDOWS\system32\gcxjvkdb.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\ghykpsua.dll
C:\WINDOWS\system32\gixqrvgf.dll
C:\WINDOWS\system32\gkwbmjvf.dll
C:\WINDOWS\system32\gvogdufb.dll
C:\WINDOWS\system32\hbwmuwkr.dll
C:\WINDOWS\system32\hcxnemgl.dll
C:\WINDOWS\system32\hhyxqaag.dll
C:\WINDOWS\system32\hohpiygj.dll
C:\WINDOWS\system32\hvlbpurl.dll
C:\WINDOWS\system32\iaimkwef.dll
C:\WINDOWS\system32\ihxxxpmc.dll
C:\WINDOWS\system32\intrprng.dll
C:\WINDOWS\system32\inxfmctc.dll
C:\WINDOWS\system32\iqeewekd.dll
C:\WINDOWS\system32\iqxuhart.dll
C:\WINDOWS\system32\issyqsrv.dll
C:\WINDOWS\system32\iudfmvmo.dll
C:\WINDOWS\system32\iurikdui.dll
C:\WINDOWS\system32\iwaeucwh.dll
C:\WINDOWS\system32\iwiytoxv.dll
C:\WINDOWS\system32\jiwedbvv.dll
C:\WINDOWS\system32\jmicxjqk.dll
C:\WINDOWS\system32\jusawcmg.dll
C:\WINDOWS\system32\jyrekemn.dll
C:\WINDOWS\system32\kaffrcgo.dll
C:\WINDOWS\system32\kgveoavl.dll
C:\WINDOWS\system32\kiynkjjm.dll
C:\WINDOWS\system32\krvvabee.dll
C:\WINDOWS\system32\krwfqydw.dll
C:\WINDOWS\system32\ktlfisly.dll
C:\WINDOWS\system32\kuirmmff.dll
C:\WINDOWS\system32\kyrinjdr.dll
C:\WINDOWS\system32\lwpkebcv.dll
C:\WINDOWS\system32\lwxrgkdh.dll
C:\WINDOWS\system32\lymdwdyi.dll
C:\WINDOWS\system32\mbkputod.dll
C:\WINDOWS\system32\mkchdcjl.dll
C:\WINDOWS\system32\mlxwnqbl.dll
C:\WINDOWS\system32\mvawhlur.dll
C:\WINDOWS\system32\neggrjvr.dll
C:\WINDOWS\system32\npceexlv.dll
C:\WINDOWS\system32\nqqfkfek.dll
C:\WINDOWS\system32\nqtwa.bak1

honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #24 on: November 23, 2007, 09:34:19 AM »
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4849a9c1-c7c4-4f8c-9fd1-60fc3c22fa88}]
2007-11-23 16:49   83520   --a------   C:\WINDOWS\system32\ymmterde.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74605DD9-2871-480C-8B4B-0302A966CB92}]
         C:\WINDOWS\SYSTEM32\AWTQN.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99DE9A8F-2E4E-4781-86C6-F2A2B25C24B6}]
         C:\WINDOWS\system32\qdfsssjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99E41A24-6F7C-4531-A4B5-EAD6F371473B}]
         C:\Program Files\MSN Gaming Zone\holemunyz4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD726424-B9CD-4C34-9DC9-152C67761FDE}]
         C:\Program Files\MSN Gaming Zone\holemunyz83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA959CC3-D52A-4388-3B87-985A96131158}]
         C:\Program Files\Windows NT\lawug.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:54]
"SpyClean"="C:\Program Files\Netcom3 Cleaner\SpyClean.exe" []
"Play Tool"="C:\DOCUME~1\user\APPLIC~1\GREYCD~1\Atom Tray.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 07:42 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 22:30 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 22:30 C:\WINDOWS\system32\rundll32.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 16:10]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 23:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"NGServer"="C:\Program Files\Symantec\Ghost\ngserver.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-21 10:29]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-10-15 15:13]
"CaPPcl"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe" [2007-10-15 15:13]
"eTrustPPAP"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPActiveDetection.exe" []
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]
"Anti Dog Beep Grid"="C:\Documents and Settings\All Users\Application Data\Open Ante Anti Dog\online each.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 19:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-09 22:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:55]
"88441475"="C:\WINDOWS\system32\ushfylcr.dll" [2007-11-23 16:52]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:30]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 20:42:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 23:24:38]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 23:44:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 14:11 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkklkj]
jkkklkj.dll 2007-10-11 10:36 36352 C:\WINDOWS\system32\jkkklkj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\geede.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
S3 qcusbser;ZTE USB Device for Legacy Serial Communication;C:\WINDOWS\system32\DRIVERS\ZTEusbser.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 06:30:00 C:\WINDOWS\Tasks\AFACBAA7906F3003.job"
- c:\docume~1\user\applic~1\greycd~1\FlawLocksSend.exe
"2007-11-09 00:18:41 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as user at 1 53 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe

"2007-11-23 06:33:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 17:15:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 17:28:57 - machine was rebooted
.
   --- E O F ---

honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #25 on: November 23, 2007, 09:43:33 AM »
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) XP 2600+
Percentage of Memory in Use: 84%
Physical Memory (total/avail): 511.48 MiB / 77.31 MiB
Pagefile Memory (total/avail): 1249.25 MiB / 628.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1900.76 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 37.27 GiB total, 4.31 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400JB-00FSA0 - 37.27 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 37.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1043 [VPS 071120-0] v4.7.1043 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\Nero Web\\SetupXu.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\Nero Web\\SetupXu.exe:*:Enabled:Nero ProductSetup"
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"="C:\\Sierra\\Empire Earth\\Empire Earth.exe:*:Enabled:Empire Earth"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft  Fax Console"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\system32\\vervakmb.exe"="C:\\WINDOWS\\system32\\ver"
"C:\\Documents and Settings\\user\\My Documents\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\user\\My Documents\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\WINDOWS\\system32\\ottedeus.exe"="C:\\WINDOWS\\system32\\ott"
"C:\\Program Files\\BitDownload\\BitDownload.exe"="C:\\Program Files\\BitDownload\\BitDownload.exe:*:Enabled:Warez3"
"C:\\WINDOWS\\system32\\xniiuuob.exe"="C:\\WINDOWS\\system32\\xni"
"C:\\WINDOWS\\system32\\qwfrnkhw.exe"="C:\\WINDOWS\\system32\\qwf"
"C:\\WINDOWS\\system32\\fyflxxlm.exe"="C:\\WINDOWS\\system32\\fyf"
"C:\\WINDOWS\\system32\\sguoymdc.exe"="C:\\WINDOWS\\system32\\sgu"
"C:\\WINDOWS\\system32\\timwqpwy.exe"="C:\\WINDOWS\\system32\\tim"
"C:\\WINDOWS\\system32\\gkaaskex.exe"="C:\\WINDOWS\\system32\\gka"
"C:\\WINDOWS\\system32\\ufmhfvdw.exe"="C:\\WINDOWS\\system32\\ufm"
"C:\\WINDOWS\\system32\\ieoxvijp.exe"="C:\\WINDOWS\\system32\\ieo"
"C:\\WINDOWS\\system32\\xdcqjurk.exe"="C:\\WINDOWS\\system32\\xdc"
"C:\\WINDOWS\\system32\\diabpixq.exe"="C:\\WINDOWS\\system32\\dia"
"C:\\WINDOWS\\system32\\swsooaoa.exe"="C:\\WINDOWS\\system32\\sws"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\WINDOWS\\system32\\gmubbuyy.exe"="C:\\WINDOWS\\system32\\gmu"


honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #26 on: November 23, 2007, 09:45:17 AM »
-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-42891FB261
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\USER-42891FB261
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDOMAIN=USER-42891FB261
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

user (admin)
EmMa JaNe (admin)
Jamey Rose (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

 --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
 --> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
 --> C:\WINDOWS\UNRecode.exe /UNINSTALL
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bingo Cafe --> C:\PROGRA~1\BINGOC~1\UNWISE.EXE C:\PROGRA~1\BINGOC~1\INSTALL.LOG
CA Internet Security Suite --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u
CiD Help --> C:\DOCUME~1\user\APPLIC~1\GREYCD~1\Atom Tray.exe -uninstall
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
eMusic Remote 1.0.0.2 --> C:\Program Files\eMusic Remote\uninst.exe
Google Web Accelerator --> MsiExec.exe /X{6A1975EB-27E6-491D-94BC-6355FA25F40F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Join ME --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72FD5F2E-1F7A-4E9B-8838-29E842E178CD}\Setup.exe" -l0x9  -removeonly
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Word Viewer 97 --> C:\Program Files\WordView\setup\setup.exe
My Web Search (Cursor Mania) --> rundll32 C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsbar.dll,O
Nero 7 Essentials --> MsiExec.exe /X{ADD9E56D-2DD8-448A-8887-B3AF76AB1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{11964613-805F-432D-A12B-169554B793E7}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Nokia_PC_Suite_6_84_10_3_eng.exe
Nokia PC Suite --> MsiExec.exe /I{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{DF821FC5-C198-452B-A0D4-82433EFEAE9B}
OpenOffice.org 2.0 --> MsiExec.exe /I{686BB230-DE5B-44F4-8DB0-4F9BEE7310F7}
PC Connectivity Solution --> MsiExec.exe /I{99A40651-0BC2-4095-8F9A-A40FAB224FEF}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{66034137-F1CE-4CEF-8180-46553C54DB18}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe"  -uninstall
QuickTime 3.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\QuickTime\DeIsL1.isu" -c"C:\WINDOWS\system32\QTUninst.dll
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{1306C737-0AF4-46C7-B282-64E099304712}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tabbed Browsing (Windows Live Toolbar) --> MsiExec.exe /X{FDB226E3-D55D-4922-894F-20CE4646077D}
The Hoggs Harley Davidson Screen Saver --> C:\WINDOWS\system32\THEHOG~1.SCR /U
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VSO CopyToDVD 4 --> "C:\Program Files\VSO\unins000.exe"
Windows Desktop Search --> "C:\WINDOWS\$NtUninstallKB911993-V2$\spuninst\spuninst.exe"
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{71CB529E-21A4-42AD-BF38-564F08988633}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}
Windows Live Toolbar --> MsiExec.exe /X{C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{D3F28364-8B10-45F1-8C2D-0037F4538BBB}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{328420FA-7638-4AB1-81DF-E0FECEFF24E3}
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe





honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #27 on: November 23, 2007, 09:47:13 AM »
-- Application Event Log -------------------------------------------------------

Event Record #/Type6547 / Warning
Event Submitted/Written: 11/21/2007 10:04:58 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6537 / Error
Event Submitted/Written: 11/21/2007 06:54:57 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type6535 / Error
Event Submitted/Written: 11/21/2007 06:54:29 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type6531 / Warning
Event Submitted/Written: 11/21/2007 06:51:16 PM
Event ID/Source: 32066 / Microsoft Fax
Event Description:
At least one of the devices in the outgoing routing group is not valid.
Group name: '<All devices>'

Event Record #/Type6505 / Error
Event Submitted/Written: 11/21/2007 11:05:08 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5063 / Warning
Event Submitted/Written: 11/21/2007 10:17:46 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 000461534716.  The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type5033 / Error
Event Submitted/Written: 11/21/2007 10:10:21 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Symantec Ghost Configuration Server service failed to start due to the following error:
%%3

Event Record #/Type4985 / Error
Event Submitted/Written: 11/21/2007 07:27:09 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Symantec Ghost Configuration Server service failed to start due to the following error:
%%3

Event Record #/Type4975 / Error
Event Submitted/Written: 11/21/2007 07:19:50 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} did not register with DCOM within the required timeout.

Event Record #/Type4951 / Error
Event Submitted/Written: 11/21/2007 06:51:12 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Symantec Ghost Configuration Server service failed to start due to the following error:
%%3



-- End of Deckard's System Scanner: finished at 2007-11-22 00:32:34 ------------

honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #28 on: November 23, 2007, 09:49:47 AM »
eckard's System Scanner v20071014.68
Run by user on 2007-11-22 11:20:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
System Drive C: has 4.29 GiB (less than 15%) free.


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:12 AM, on 22/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\LocalService\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ycomp/defaults/sp/*http://au.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {74605DD9-2871-480C-8B4B-0302A966CB92} - C:\WINDOWS\SYSTEM32\AWTQN.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {99DE9A8F-2E4E-4781-86C6-F2A2B25C24B6} - C:\WINDOWS\system32\qdfsssjj.dll (file missing)
O2 - BHO: (no name) - {99E41A24-6F7C-4531-A4B5-EAD6F371473B} - C:\Program Files\MSN Gaming Zone\holemunyz4444.dll (file missing)
O2 - BHO: (no name) - {BC0692C3-733F-48AB-8E03-D3C5A32B1716} - C:\WINDOWS\system32\geede.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O2 - BHO: (no name) - {CD726424-B9CD-4C34-9DC9-152C67761FDE} - C:\Program Files\MSN Gaming Zone\holemunyz83122.dll (file missing)
O2 - BHO: (no name) - {EA959CC3-D52A-4388-3B87-985A96131158} - C:\Program Files\Windows NT\lawug.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Anti Dog Beep Grid] C:\Documents and Settings\All Users\Application Data\Open Ante Anti Dog\online each.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [88441475] rundll32.exe "C:\WINDOWS\system32\wbuwaswt.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKCU\..\Run: [Play Tool] C:\DOCUME~1\user\APPLIC~1\GREYCD~1\Atom Tray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYAU
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?75916c03fbbc4eeb82ca20dbc53ebe48
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?75916c03fbbc4eeb82ca20dbc53ebe48


--

honeyk

  • Guest
Re: virues infection win32 Trojon1165(trj)
« Reply #29 on: November 23, 2007, 09:54:46 AM »
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYAU
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?75916c03fbbc4eeb82ca20dbc53ebe48
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?75916c03fbbc4eeb82ca20dbc53ebe48
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.westnet.com.au
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkkklkj - C:\WINDOWS\SYSTEM32\jkkklkj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gmubbuyy.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - (no file)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 12680 bytes

-- Files created between 2007-10-22 and 2007-11-22 -----------------------------

2007-11-22 11:20:04     10816 --a------ C:\WINDOWS\system32\oflvmhuy.dll
2007-11-22 11:19:28     71232 --a------ C:\WINDOWS\system32\doqbdhys.exe <Not Verified; ; DDC>
2007-11-22 11:18:55     10816 --a------ C:\WINDOWS\system32\__c001E8FA.dat
2007-11-22 11:18:54     10816 --a------ C:\WINDOWS\system32\krwfqydw.dll
2007-11-22 11:18:21     80960 --a------ C:\WINDOWS\system32\suaakfoa.dll
2007-11-22 11:15:22     10816 --a------ C:\WINDOWS\system32\__c008DA17.dat
2007-11-22 11:15:21     10816 --a------ C:\WINDOWS\system32\wvttpxxg.dll
2007-11-22 11:15:20     10816 --a------ C:\WINDOWS\system32\tqbfhhug.dll
2007-11-22 11:12:40     71232 --a------ C:\WINDOWS\system32\hmuspgvv.exe <Not Verified; ; DDC>
2007-11-22 10:36:51     10816 --a------ C:\WINDOWS\system32\__c005349E.dat
2007-11-22 10:36:50     10816 --a------ C:\WINDOWS\system32\vgqvarbp.dll
2007-11-22 10:34:53     71232 --a------ C:\WINDOWS\system32\bhndarhp.exe <Not Verified; ; DDC>
2007-11-22 05:17:49     10816 --a------ C:\WINDOWS\system32\tunjqals.dll
2007-11-22 05:15:37     10816 --a------ C:\WINDOWS\system32\__c0027B18.dat
2007-11-22 05:15:35     10816 --a------ C:\WINDOWS\system32\cuqubdhw.dll
2007-11-22 05:15:34     71232 --a------ C:\WINDOWS\system32\tqahiity.exe <Not Verified; ; DDC>
2007-11-22 05:12:54     10816 --a------ C:\WINDOWS\system32\lymdwdyi.dll
2007-11-22 05:10:49     85056 --a------ C:\WINDOWS\system32\wbuwaswt.dll
2007-11-22 05:10:44     71232 --a------ C:\WINDOWS\system32\llppcsdp.exe <Not Verified; ; DDC>
2007-11-22 05:08:10     10816 --a------ C:\WINDOWS\system32\__c008DE32.dat
2007-11-22 05:08:09     10816 --a------ C:\WINDOWS\system32\ybjfdweg.dll
2007-11-22 05:03:19     71232 --a------ C:\WINDOWS\system32\yumvioah.exe <Not Verified; ; DDC>
2007-11-22 05:00:19     10816 --a------ C:\WINDOWS\system32\__c00A91BC.dat
2007-11-22 05:00:18     10816 --a------ C:\WINDOWS\system32\iaimkwef.dll
2007-11-22 04:57:41     10816 --a------ C:\WINDOWS\system32\bnlaujrt.dll
2007-11-22 04:26:34     80960 --a------ C:\WINDOWS\system32\lxukivje.dll
2007-11-22 04:20:32     85056 --a------ C:\WINDOWS\system32\ygflchpf.dll
2007-11-22 04:17:32     10816 --a------ C:\WINDOWS\system32\__c00DB100.dat
2007-11-22 04:17:31     10816 --a------ C:\WINDOWS\system32\xqkmmwod.dll
2007-11-22 04:14:50     71232 --a------ C:\WINDOWS\system32\ubnabnie.exe <Not Verified; ; DDC>
2007-11-22 04:12:42     10816 --a------ C:\WINDOWS\system32\drshrykn.dll
2007-11-22 04:10:03     10816 --a------ C:\WINDOWS\system32\dksqgqrd.dll
2007-11-22 04:07:51     80960 --a------ C:\WINDOWS\system32\vilwflxn.dll
2007-11-22 04:07:34     85056 --a------ C:\WINDOWS\system32\caltsyrf.dll
2007-11-22 04:01:35     10816 --a------ C:\WINDOWS\system32\__c00DACCE.dat
2007-11-22 04:01:34     10816 --a------ C:\WINDOWS\system32\akrddgak.dll
2007-11-22 04:01:33     10816 --a------ C:\WINDOWS\system32\ykkadydp.dll