1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

windows XP hacked: lost admin rights and computer slowdown

Discussion in 'Malware and Virus Removal Archive' started by boomstick, 2008/07/04.

  1. 2008/07/04
    boomstick

    boomstick Inactive Thread Starter

    Joined:
    2008/07/04
    Messages:
    3
    Likes Received:
    0
    hi new member here. found this site looking up a way to figure out whats slowing down my computer. i read the thread from Left4dead and its the same exact situation.
    I can't access even changing display menu, my control panel is gone from my settings menu. Plus my computer has slowed down drastically. I got AVG and quarintined *atleast I think it did* or deleted the viruses but my computer is still slow. How can I fix this without rebooting because I dont have my disc. Below is that HijackThis report. Also my time has been changed to military time (0:00-24:00) and that has "VIRUS ALERT!" next to it as well as most other things (aim messages and such). Also sidenote, tonight when i was reading left4dead's thread my firefox kept having problems and firefox would close. It hasn't been happening on any other site. So to do this I got on internet explorer.



    Logfile of HijackThis v1.99.1
    Scan saved at 01:53: VIRUS ALERT!, on 7/4/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.com/
    O2 - BHO: CableRouting module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\CableRouting\CableRouting.dll (file missing)
    O2 - BHO: (no name) - {33F0C571-69BC-40BD-8C5B-58274C69B37A} - C:\WINDOWS\system32\yayvTkkI.dll (file missing)
    O2 - BHO: (no name) - {39D67F39-6F48-438A-80A2-F86FE363C215} - C:\WINDOWS\system32\tuvVLbAP.dll (file missing)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: QXK Olive - {63EE8DD1-D0EB-4A34-B133-E38B41307B27} - C:\WINDOWS\gfetqaxsqsb.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [c4a1f81f] rundll32.exe "C:\WINDOWS\System32\mpxtiwkb.dll ",b
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: tuvVLbAP - tuvVLbAP.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    I'd show whats in my AVG vault but not tonight i'm sleepy.
     
    boomstick,
    #1
  2. 2008/07/04
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS boomstick :)

    Download ComboFix by sUBs from here, saving the file to your desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Then, you need to get an updated version of HijackThis. Please download the HijackThis Installer from here, then run a scan and save the log. Post the contents of that log here.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/07/05
    boomstick

    boomstick Inactive Thread Starter

    Joined:
    2008/07/04
    Messages:
    3
    Likes Received:
    0
    k the combofix log



    ComboFix 08-07-04.6 - tyler 2008-07-05 15:55:30.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1603 [GMT -4:00]
    Running from: C:\Documents and Settings\tyler\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\PCHealthCenter
    C:\Program Files\PCHealthCenter\0.gif
    C:\Program Files\PCHealthCenter\1.gif
    C:\Program Files\PCHealthCenter\2.gif
    C:\Program Files\PCHealthCenter\3.gif
    C:\Program Files\PCHealthCenter\sex1.ico
    C:\Program Files\PCHealthCenter\sex2.ico
    C:\Program Files\VAV
    C:\Program Files\VAV\vav0.dat
    C:\Program Files\VAV\vav1.dat
    C:\WINDOWS\system32\bkwitxpm.ini
    C:\WINDOWS\system32\IkkTvyay.ini
    C:\WINDOWS\system32\IkkTvyay.ini2
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\rllxpmqj.ini
    C:\WINDOWS\system32\sex1.ico
    C:\WINDOWS\system32\sex2.ico
    C:\WINDOWS\system32\wurekciu.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
    .

    2008-07-02 20:01 . 2008-07-02 20:01 <DIR> d-------- C:\Documents and Settings\tyler\Application Data\Apple Computer
    2008-07-02 18:36 . 2008-07-05 15:49 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-07-02 18:34 . 2008-07-05 15:49 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-07-02 18:34 . 2008-07-02 18:34 <DIR> d-------- C:\Program Files\AVG
    2008-07-02 18:34 . 2008-07-02 18:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
    2008-07-02 18:34 . 2008-07-03 23:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-07-02 18:34 . 2008-07-03 23:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-07-02 18:34 . 2008-07-03 23:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-07-02 18:24 . 2004-08-04 00:56 2,897,920 --a------ C:\WINDOWS\system32\xpsp2res.dll
    2008-07-02 18:23 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002299_.tmp
    2008-07-02 16:18 . 2008-07-02 16:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-02 16:15 . 2008-07-02 16:15 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-07-01 20:02 . 2008-07-01 20:02 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
    2008-07-01 20:02 . 2008-07-01 20:02 0 --a------ C:\Documents and Settings\tyler\jagex_runescape_preferences.dat
    2008-06-30 06:10 . 2008-06-30 06:10 87 --a------ C:\Documents and Settings\All Users.aawqff
    2008-06-30 05:11 . 2008-06-30 05:11 <DIR> d-------- C:\Documents and Settings\tyler\Application Data\DivX
    2008-06-28 07:51 . 2008-06-28 07:51 <DIR> d-------- C:\WINDOWS\Downloaded Installations
    2008-06-28 07:51 . 2008-06-28 07:51 <DIR> d-------- C:\Program Files\Veoh Networks
    2008-06-28 06:51 . 2008-06-28 06:51 <DIR> d-------- C:\Program Files\Lavasoft
    2008-06-28 06:51 . 2008-07-02 16:13 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
    2008-06-26 09:45 . 2008-07-02 16:13 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
    2008-06-26 09:45 . 2008-06-26 09:45 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
    2008-06-26 09:45 . 2008-07-05 15:49 334 --ah----- C:\WINDOWS\system32\vsconfig.xml
    2008-06-26 08:14 . 2008-06-26 08:14 1,160 --a------ C:\WINDOWS\mozver.dat
    2008-06-26 00:30 . 2008-07-02 16:14 <DIR> d-------- C:\Program Files\CableRouting
    2008-06-25 23:46 . 2008-07-04 20:54 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-06-25 23:46 . 2008-06-25 23:46 <DIR> d-------- C:\Program Files\Zone Labs
    2008-06-25 23:45 . 2008-06-25 23:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Broderbund LLC
    2008-06-25 23:30 . 2008-06-25 23:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd
    2008-06-25 23:30 . 2008-06-25 19:00 139,264 --a------ C:\WINDOWS\enlx.exe
    2008-06-25 23:30 . 2008-06-25 19:00 81,920 --a------ C:\WINDOWS\tovafrnm.exe
    2008-06-25 23:22 . 2008-06-25 23:22 <DIR> d-------- C:\Program Files\QuickTime
    2008-06-25 23:22 . 2008-06-25 23:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
    2008-06-25 23:12 . 2001-08-23 12:00 68,608 --a------ C:\WINDOWS\system32\olecli32.dll
    2008-06-25 23:07 . 2008-07-02 18:33 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
    2008-06-25 23:07 . 2004-08-12 10:10 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-06-25 22:58 . 2004-08-04 00:56 1,236,480 --a------ C:\WINDOWS\system32\msxml3.dll
    2008-06-25 22:57 . 2004-08-04 00:56 721,920 --a------ C:\WINDOWS\system32\lsasrv.dll
    2008-06-25 22:57 . 2004-08-03 23:14 336,256 --a------ C:\WINDOWS\system32\drivers\srv.sys
    2008-06-25 22:57 . 2004-08-03 23:00 181,248 --a------ C:\WINDOWS\system32\drivers\mrxdav.sys
    2008-06-25 22:57 . 2004-08-04 00:56 67,584 --a------ C:\WINDOWS\system32\webclnt.dll
    2008-06-25 22:56 . 2004-08-03 22:23 526,848 --a------ C:\WINDOWS\system32\hhctrl.ocx
    2008-06-25 22:56 . 2004-08-04 01:01 139,400 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
    2008-06-25 22:53 . 2004-08-04 00:56 1,281,536 --a------ C:\WINDOWS\system32\ole32.dll
    2008-06-25 22:52 . 2004-08-04 00:56 611,328 --a------ C:\WINDOWS\system32\comctl32.dll
    2008-06-25 22:50 . 2004-08-04 00:56 713,216 --a------ C:\WINDOWS\system32\sxs.dll
    2008-06-25 22:50 . 2004-08-04 00:56 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll
    2008-06-24 19:17 . 2008-06-24 19:17 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
    2008-06-24 19:16 . 2008-06-24 19:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\nView_Profiles
    2008-06-21 22:16 . 2008-06-21 22:16 <DIR> d-------- C:\WINDOWS\Sun
    2008-06-21 15:50 . 2008-06-21 15:50 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
    2008-06-19 01:10 . 2004-08-03 23:20 2,180,992 --a------ C:\WINDOWS\system32\ntoskrnl.exe
    2008-06-19 01:10 . 2004-08-03 22:59 2,056,832 --a------ C:\WINDOWS\system32\ntkrnlpa.exe
    2008-06-19 01:10 . 2004-08-03 23:17 1,835,904 --a------ C:\WINDOWS\system32\win32k.sys
    2008-06-19 01:10 . 2004-08-04 00:56 577,024 --a------ C:\WINDOWS\system32\user32.dll
    2008-06-19 01:10 . 2004-08-03 23:15 451,456 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
    2008-06-19 01:10 . 2004-08-04 00:56 290,816 --a------ C:\WINDOWS\system32\winsrv.dll
    2008-06-19 01:10 . 2004-08-03 23:20 176,512 --a------ C:\WINDOWS\system32\drivers\rdbss.sys
    2008-06-19 01:10 . 2004-08-04 00:56 101,888 --a------ C:\WINDOWS\system32\cscdll.dll
    2008-06-17 22:25 . 2008-06-17 22:25 <DIR> d-------- C:\Documents and Settings\tyler\Application Data\acccore
    2008-06-17 22:25 . 2008-06-17 22:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
    2008-06-17 22:25 . 2008-06-17 22:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL OCP
    2008-06-17 22:25 . 2008-06-17 22:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
    2008-06-17 22:25 . 2008-06-17 22:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\acccore
    2008-06-17 21:58 . 2008-07-05 05:24 <DIR> d-------- C:\Documents and Settings\tyler\Application Data\LimeWire
    2008-06-17 21:48 . 2008-06-17 21:48 <DIR> d-------- C:\Program Files\Java
    2008-06-17 21:48 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-06-17 21:47 . 2008-06-17 21:47 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-06-17 21:42 . 2008-06-27 02:31 <DIR> d-------- C:\Program Files\LimeWire
    2008-06-17 21:38 . 2008-06-17 21:38 <DIR> d-------- C:\Documents and Settings\tyler\Application Data\Talkback
    2008-06-17 21:37 . 2008-06-17 21:37 0 --a------ C:\WINDOWS\nsreg.dat
    2008-06-17 15:59 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
    2008-06-17 15:59 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
    2008-06-17 15:33 . 2008-07-02 16:18 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-06-17 15:33 . 2004-08-04 00:56 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
    2008-06-17 15:33 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
    2008-06-17 15:33 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
    2008-06-17 15:26 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
    2008-06-17 15:26 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
    2008-06-17 15:26 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
    2008-06-17 15:26 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
    2008-06-17 15:26 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
    2008-06-17 15:26 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
    2008-06-17 15:26 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
    2008-06-17 15:19 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
    2008-06-17 15:19 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
    2008-06-17 15:19 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2008-06-17 15:19 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-02 23:16 568,320 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
    2008-07-02 23:16 424,448 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
    2008-07-02 20:19 --------- d-----w C:\Program Files\DivX
    2008-07-02 20:06 585,728 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
    2008-06-23 09:06 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-06-18 02:25 --------- d-----w C:\Program Files\Viewpoint
    2008-06-18 02:25 --------- d-----w C:\Program Files\AIM6
    2008-06-02 04:40 --------- d-----w C:\Program Files\Driver
    2008-06-02 04:33 --------- d-----w C:\Program Files\NVIDIA Corporation
    2008-06-01 16:54 --------- d-----w C:\Program Files\Realtek
    2008-06-01 16:53 315,392 ----a-w C:\WINDOWS\HideWin.exe
    2008-06-01 16:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-01 16:02 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-06-01 16:02 --------- d-----w C:\Documents and Settings\tyler\Application Data\InstallShield
    2008-05-27 04:23 558,142 ----a-w C:\WINDOWS\java\Packages\qg5vvjx7.zip
    2008-05-27 04:23 155,995 ----a-w C:\WINDOWS\java\Packages\t3xjxr3f.zip
    2008-05-22 22:22 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
    2008-05-22 22:22 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
    2008-05-22 22:22 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6 "= "C:\Program Files\AIM6\aim6.exe" [2008-06-12 16:47 50528]
    "Veoh "= "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-06-19 15:15 3664944]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2007-12-05 02:41 8523776]
    "NvMediaCenter "= "C:\WINDOWS\System32\NvMcTray.dll" [2007-12-05 02:41 81920]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
    "AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 23:22 1232152]
    "RTHDCPL "= "RTHDCPL.EXE" [2007-10-16 18:30 16855552 C:\WINDOWS\RTHDCPL.exe]
    "nwiz "= "nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]

    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [2008-06-26 09:45:24 422984]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli scecli

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe "=
    "C:\\Program Files\\AIM6\\aim6.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
    "C:\\Program Files\\LimeWire\\LimeWire.exe "=
    "C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe "=

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 23:22]
    R1 BIOS;BIOS;C:\WINDOWS\System32\drivers\BIOS.sys [2005-03-16 02:23]
    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 23:22]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 23:22]
    R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 23:22]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]

    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{33F0C571-69BC-40BD-8C5B-58274C69B37A} - C:\WINDOWS\system32\yayvTkkI.dll
    BHO-{63EE8DD1-D0EB-4A34-B133-E38B41307B27} - C:\WINDOWS\gfetqaxsqsb.dll
    HKLM-Run-c4a1f81f - C:\WINDOWS\System32\mpxtiwkb.dll
    Notify-tuvVLbAP - tuvVLbAP.dll


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-05 15:57:45
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    .
    **************************************************************************
    .
    Completion time: 2008-07-05 15:59:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-07-05 19:59:20

    Pre-Run: 144,807,174,144 bytes free
    Post-Run: 145,929,134,080 bytes free

    215 --- E O F --- 2008-06-26 02:58:50
     
    boomstick,
    #3
  5. 2008/07/05
    boomstick

    boomstick Inactive Thread Starter

    Joined:
    2008/07/04
    Messages:
    3
    Likes Received:
    0
    hijack this scan number 2 after combo this




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:03, on 7/5/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.com/
    O2 - BHO: (no name) - {33F0C571-69BC-40BD-8C5B-58274C69B37A} - C:\WINDOWS\system32\yayvTkkI.dll (file missing)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: QXK Olive - {63EE8DD1-D0EB-4A34-B133-E38B41307B27} - C:\WINDOWS\gfetqaxsqsb.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5336 bytes
     
    boomstick,
    #4
  6. 2008/07/05
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please delete the ComboFix.exe file you currently have and download a fresh copy (it's been updated) from here, saving it to your desktop.

    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    
http://www.windowsbbs.com/showthread.php?t=74861

Collect::
C:\WINDOWS\002299_.tmp
C:\Documents and Settings\All Users.aawqff
C:\WINDOWS\enlx.exe
C:\WINDOWS\tovafrnm.exe
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


    Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!
     
    noahdfear,
    #5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...