MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Virtumonde.prx and Trojan.Hiloti
September 20, 2019, 03:11:59 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
September 20, 2019, 03:11:59 PM

Login with username, password and session length
 
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Virtumonde.prx and Trojan.Hiloti  (Read 2403 times)
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« on: June 25, 2010, 06:59:59 PM »

Greetings!  Once again my computer is infected so I
Logged
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #1 on: June 25, 2010, 07:04:41 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:16 PM, on 6/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Qtixehigatagacu] rundll32.exe "C:\WINDOWS\ohodohaqitejiguc.dll",Startup
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitWise] C:\Program Files\BitWise\BitWise.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.adobe.com/shockwave/welcome/"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
Logged
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #2 on: June 25, 2010, 07:17:55 PM »


O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249716331656
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249721526632
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://clubgames.pogo.com/online2/pogop/luxor_2/mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
O16 - DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} (Clue Control) - http://www.worldwinner.com/games/v68/clue/clue.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35EC4CE0-DBA0-48CD-8A53-38B0C72B7711}: NameServer = 24.25.5.150,24.25.5.149
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcg_device -   - C:\WINDOWS\System32\lxcgcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 5418 bytes
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: June 25, 2010, 10:21:54 PM »




Please download Malwarebytes' Anti-Malware from one of these places:

 http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

 http://www.besttechie.net/tools/mbam-setup.exe


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.



===============================================



Logged

An Australian Member of

EDDY
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #4 on: June 26, 2010, 12:43:31 AM »

Hiya, Pancake!  My MBAM scan came up clean, but here's the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4241

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/25/2010 8:29:23 PM
mbam-log-2010-06-25 (20-29-23).txt

Scan type: Quick scan
Objects scanned: 123790
Time elapsed: 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Something's gotta be wrong!  It's never this easy...  Wink

Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: June 26, 2010, 12:59:26 AM »

Download Combofix and place it on your Desktop.



http://download.bleepingcomputer.com/sUBs/ComboFix.exe


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing  before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : http://www.bleepingcomputer.com/forums/topic114351.html

Please include the C:\ComboFix.txt in your next reply for further review.


Caution.....
Never use this program to remove files.Only use it with  help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper






Logged

An Australian Member of

EDDY
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #6 on: June 26, 2010, 03:17:27 PM »

Sorry for the delay - we lost power due to a storm last night and I fell asleep waiting for it to come back on  Undecided

ComboFix 10-06-25.04 - Diane Cohn 06/26/2010  10:51:23.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1535.1213 [GMT -4:00]
Running from: c:\documents and settings\Diane Cohn\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Diane Cohn\Application Data\inst.exe
c:\documents and settings\Diane Cohn\Local Settings\Application Data\{9B6CE73F-6E7C-40C6-9193-C29B89576396}
c:\documents and settings\Diane Cohn\Local Settings\Application Data\{9B6CE73F-6E7C-40C6-9193-C29B89576396}\chrome.manifest
c:\documents and settings\Diane Cohn\Local Settings\Application Data\{9B6CE73F-6E7C-40C6-9193-C29B89576396}\chrome\content\_cfg.js
c:\documents and settings\Diane Cohn\Local Settings\Application Data\{9B6CE73F-6E7C-40C6-9193-C29B89576396}\chrome\content\overlay.xul
c:\documents and settings\Diane Cohn\Local Settings\Application Data\{9B6CE73F-6E7C-40C6-9193-C29B89576396}\install.rdf
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-05-26 to 2010-06-26  )))))))))))))))))))))))))))))))
.

2010-06-25 19:33 . 2010-06-25 19:33   --------   d-----w-   c:\program files\ESET
2010-06-24 22:53 . 2010-06-25 17:31   120   ----a-w-   c:\windows\Psuwiku.dat
2010-06-24 22:53 . 2010-06-25 13:12   0   ----a-w-   c:\windows\Bmiti.bin
2010-06-22 21:39 . 2010-06-22 21:39   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-22 21:39 . 2010-06-22 21:39   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-22 21:39 . 2010-06-22 21:39   49152   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-06-22 21:39 . 2010-06-22 21:39   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-22 21:39 . 2010-06-22 21:39   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-22 21:39 . 2010-06-22 21:39   40960   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-06-22 21:39 . 2010-06-22 21:39   308808   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-22 21:39 . 2010-06-22 21:39   14848   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-06-22 21:39 . 2010-06-22 21:39   341600   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-22 21:39 . 2010-06-22 21:39   --------   d-----w-   c:\program files\Common Files\xing shared
2010-06-11 07:34 . 2010-06-11 07:34   --------   d-----w-   c:\documents and settings\Diane Cohn\Local Settings\Application Data\PCHealth
2010-06-10 23:32 . 2010-05-06 10:41   743424   -c----w-   c:\windows\system32\dllcache\iedvtool.dll
2010-06-04 07:00 . 2010-06-04 07:00   --------   d-sh--w-   c:\documents and settings\Default User\IETldCache
2010-06-02 06:51 . 2010-06-02 06:51   --------   d-----w-   c:\program files\Amazing Adventures The Lost Tomb
2010-05-28 07:45 . 2010-06-03 23:00   356352   ----a-w-   c:\documents and settings\All Users\Application Data\WorldWinner\solitairerush\solitairerush.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 04:06 . 2009-08-24 14:36   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-25 19:44 . 2009-08-08 06:34   --------   d-----w-   c:\program files\Lx_cats
2010-06-25 13:54 . 2009-08-08 06:23   --------   d-----w-   c:\program files\Lexmark 2300 Series
2010-06-25 13:35 . 2010-04-18 21:30   --------   d-----w-   c:\documents and settings\Diane Cohn\Application Data\vlc
2010-06-25 13:15 . 2009-10-29 23:51   --------   d-----w-   c:\documents and settings\Diane Cohn\Application Data\uTorrent
2010-06-24 22:54 . 2009-10-29 23:51   --------   d-----w-   c:\program files\uTorrent
2010-06-22 21:39 . 2009-09-03 05:07   --------   d-----w-   c:\program files\Real
2010-06-22 21:38 . 2009-08-08 06:48   499712   ----a-w-   c:\windows\system32\msvcp71.dll
2010-06-22 21:38 . 2009-08-08 06:48   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2010-06-13 07:21 . 2009-08-29 07:22   --------   d-----w-   c:\documents and settings\Diane Cohn\Application Data\Vso
2010-06-11 04:55 . 2009-09-14 19:51   1235968   ----a-w-   c:\documents and settings\All Users\Application Data\WorldWinner\chuzzle\Chuzzle.dll
2010-06-11 04:55 . 2010-01-13 07:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\WorldWinner
2010-06-07 04:51 . 2010-04-10 06:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\PopCap
2010-06-07 03:20 . 2010-04-30 19:37   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-02 06:04 . 2010-03-11 08:24   --------   d---a-w-   c:\documents and settings\All Users\Application Data\Temp
2010-06-02 00:21 . 2010-02-24 06:28   --------   d-----w-   c:\program files\Games
2010-05-26 02:38 . 2010-05-26 02:38   430141   ----a-w-   c:\documents and settings\All Users\Application Data\WorldWinner\luxor\luxor.dll
2010-05-19 02:44 . 2010-03-11 08:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\CyberLink
2010-05-19 02:44 . 2010-03-11 08:30   --------   d-----w-   c:\documents and settings\Diane Cohn\Application Data\CyberLink
2010-05-15 04:21 . 2010-05-15 04:21   401408   ----a-w-   c:\documents and settings\All Users\Application Data\WorldWinner\swapit\swapit.dll
2010-05-10 14:50 . 2009-08-08 16:54   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-10 03:02 . 2009-08-09 05:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-05-07 23:33 . 2010-05-07 23:33   106496   ----a-w-   c:\documents and settings\All Users\Application Data\MGS\cache\a\aurora.1a2291430fa932849077b65b849668f7.dll
2010-05-06 20:59 . 2009-08-08 06:48   165032   ----a-w-   c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-08-08 06:48   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-08-08 06:48   164048   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-08-08 06:48   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-08-08 06:48   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-08-08 06:48   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-08-22 05:29   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-08-08 06:48   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-05-06 10:41 . 2002-09-03 17:12   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-06 05:13 . 2009-09-04 14:17   --------   d-----w-   c:\program files\eMule
2010-05-05 06:00 . 2010-04-04 04:48   532480   ----a-w-   c:\documents and settings\All Users\Application Data\WorldWinner\bejeweled\bejeweled.dll
2010-05-02 05:22 . 2002-09-03 17:11   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-30 04:22 . 2010-04-30 04:22   1055744   ----a-w-   c:\documents and settings\All Users\Application Data\WorldWinner\bigmoney\bigmoney.dll
2010-04-29 19:39 . 2009-08-08 16:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-08-08 16:55   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-23 19:21 . 2010-04-09 16:47   937984   ----a-w-   c:\documents and settings\All Users\Application Data\WorldWinner\plantsvzombies\plantsvzombies.dll
2010-04-20 05:30 . 2002-09-03 16:27   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-14 16:47 . 2009-08-08 06:48   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-04-13 00:02 . 2009-08-15 03:03   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-04-10 10:36 . 2010-04-10 10:36   0   ----a-w-   c:\windows\popcreg.dat
2010-04-10 10:36 . 2010-04-10 10:36   0   ----a-w-   c:\windows\popcinfot.dat
2010-04-09 20:53 . 2010-04-09 20:53   106496   ----a-w-   c:\documents and settings\All Users\Application Data\MGS\cache\a\aurora.7e67bbad5bce470d4079b0f4a42b7dac.dll
2010-04-08 04:36 . 2010-04-08 04:36   339968   ----a-w-   c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll
2010-04-08 03:28 . 2010-04-08 03:28   94208   ----a-w-   c:\documents and settings\All Users\Application Data\MGS\cache\l\lua51host.668670e33723f8f8763a1e128bf0ba1b.dll
2010-04-08 03:21 . 2010-04-08 03:21   61440   ----a-w-   c:\documents and settings\All Users\Application Data\MGS\cache\v\void.ad81709fa9924561f9a166574fbcd583.dll
2010-04-08 03:21 . 2010-04-08 03:21   430080   ----a-w-   c:\documents and settings\All Users\Application Data\MGS\cache\m\menucore.8994833bb1ff066b3216bdecd5a9f4c6.dll
2010-03-31 04:16 . 2010-03-31 04:16   99176   ----a-w-   c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10   295264   ----a-w-   c:\windows\system32\PresentationHost.exe
2010-03-31 00:52 . 2009-10-06 18:32   972288   ----a-w-   c:\documents and settings\All Users\Application Data\WorldWinner\dynomite\Dynomite.dll
2009-09-19 02:14 . 2009-09-18 08:29   5667   ----a-w-   c:\program files\data.bin
2009-09-19 02:14 . 2009-09-18 08:28   1266668   ----a-w-   c:\program files\Console.log
2009-09-19 02:14 . 2009-09-18 08:28   327785   ----a-w-   c:\program files\Debug.log
2009-09-19 02:13 . 2009-09-18 08:29   0   ----a-w-   c:\program files\physics.txt
2005-09-09 23:55 . 2009-10-02 02:05   37766164   ----a-w-   c:\program files\Data1.cab
2001-03-07 12:16 . 2001-03-07 12:16   419232   ----a-w-   c:\program files\SOA.DLL
2001-03-07 12:15 . 2001-03-07 12:15   5768608   ----a-w-   c:\program files\MSACCESS.EXE
2001-03-07 12:15 . 2001-03-07 12:15   140704   ----a-w-   c:\program files\MSAEXP30.DLL
2001-03-07 12:15 . 2001-03-07 12:15   435616   ----a-w-   c:\program files\MSACC.OLB
2001-03-07 12:15 . 2001-03-07 12:15   161184   ----a-w-   c:\program files\ACCWIZ.DLL
2001-02-23 22:36 . 2001-02-23 22:36   389632   ------w-   c:\program files\MSCDM.DLL
2001-02-17 03:26 . 2001-02-17 03:26   483328   ----a-w-   c:\program files\UTILITY.MDA_0001
2001-02-13 05:26 . 2001-02-13 05:26   570784   ----a-w-   c:\program files\MSAIN.DLL
2001-02-13 05:25 . 2001-02-13 05:25   378272   ----a-w-   c:\program files\ACWIZRC.DLL
2001-02-09 15:11 . 2001-02-09 15:11   3035136   ----a-w-   c:\program files\msenvdll.CAB3.3643236F_FC70_11D3_A536_0090278A1BB8
2001-02-09 13:05 . 2001-02-09 13:05   136608   ----a-w-   c:\program files\OBALLOON.DLL
2001-02-09 13:00 . 2001-02-09 13:00   79264   ----a-w-   c:\program files\BLNMGR.DLL
2001-02-09 13:00 . 2001-02-09 13:00   62880   ----a-w-   c:\program files\BLNMGRPS.DLL
2001-02-08 14:43 . 2001-02-08 14:43   260   ------w-   c:\program files\README.TXT_0001
2001-02-07 15:53 . 2001-02-07 15:53   615238   ------w-   c:\program files\WDMAIN10.AW
2001-02-07 03:01 . 2001-02-07 03:01   128416   ----a-w-   c:\program files\AW.DLL
2001-02-07 01:36 . 2001-02-07 01:36   132512   ----a-w-   c:\program files\SNAPVIEW.OCX
2001-02-07 01:36 . 2001-02-07 01:36   54688   ----a-w-   c:\program files\SNAPVIEW.EXE
2001-02-02 17:34 . 2001-02-02 17:34   652683   ----a-w-   c:\program files\F271_p1033.dlm.510B3546_8F44_45B7_ADF9_55E2CFD58592
2001-02-02 17:34 . 2001-02-02 17:34   1279688   ----a-w-   c:\program files\F274_p1033.ngr.510B3546_8F44_45B7_ADF9_55E2CFD58592
2001-02-02 17:32 . 2001-02-02 17:32   47756   ----a-w-   c:\program files\F275_s1033.ngr.510B3546_8F44_45B7_ADF9_55E2CFD58592
2001-02-02 17:32 . 2001-02-02 17:32   3177   ----a-w-   c:\program files\F272_s1033.dlm.510B3546_8F44_45B7_ADF9_55E2CFD58592
2001-02-02 17:31 . 2001-02-02 17:31   9680237   ----a-w-   c:\program files\F270_l1033.dlm.510B3546_8F44_45B7_ADF9_55E2CFD58592
2001-02-02 17:31 . 2001-02-02 17:31   24318736   ----a-w-   c:\program files\F273_l1033.ngr.510B3546_8F44_45B7_ADF9_55E2CFD58592
2001-02-02 03:32 . 2001-02-02 03:32   114688   ----a-w-   c:\program files\MSCAL.OCX
2001-01-30 03:20 . 2001-01-30 03:20   8019968   ----a-w-   c:\program files\ACWZTOOL.MDE
2001-01-30 03:19 . 2001-01-30 03:19   5345280   ----a-w-   c:\program files\ACWZMAIN.MDE
2001-01-30 03:19 . 2001-01-30 03:19   1662976   ----a-w-   c:\program files\ACWZLIB.MDE
2001-01-30 03:17 . 2001-01-30 03:17   2314240   ----a-w-   c:\program files\ACWZUSR.MDT
2001-01-30 03:17 . 2001-01-30 03:17   8232960   ----a-w-   c:\program files\ACWZDAT.MDT
2001-01-26 22:57 . 2001-01-26 22:57   36864   ----a-w-   c:\program files\cmddefdl.2BF3.3643236F_FC70_11D3_A536_0090278A1BB8
2001-01-26 18:00 . 2001-01-26 18:00   410783   ------w-   c:\program files\FPMAIN10.AW
2001-01-24 19:31 . 2001-01-24 19:31   484614   ------w-   c:\program files\ACMAIN10.AW
2001-01-24 18:48 . 2001-01-24 18:48   58825   ------w-   c:\program files\XLOW10.AW
2001-01-24 18:48 . 2001-01-24 18:48   596931   ------w-   c:\program files\XLMAIN10.AW
2001-01-24 18:47 . 2001-01-24 18:47   50768   ------w-   c:\program files\WDOW10.AW
2001-01-24 18:46 . 2001-01-24 18:46   42948   ------w-   c:\program files\PPOW10.AW_0001
2001-01-24 18:46 . 2001-01-24 18:46   505689   ------w-   c:\program files\PPMAIN10.AW_0001
2001-01-24 18:45 . 2001-01-24 18:45   46314   ------w-   c:\program files\OLOW10.AW
2001-01-24 18:45 . 2001-01-24 18:45   443513   ------w-   c:\program files\OLMAIN10.AW
2001-01-24 18:44 . 2001-01-24 18:44   52624   ------w-   c:\program files\FPOW10.AW
2001-01-24 18:44 . 2001-01-24 18:44   42334   ------w-   c:\program files\ACOW10.AW
2001-01-24 01:46 . 2001-01-24 01:46   200704   ----a-w-   c:\program files\csspkgdl.2BF3.3643236F_FC70_11D3_A536_0090278A1BB8
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-22 202256]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17   952768   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42   36272   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 08:59   122880   ----a-w-   c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 23:03   152872   ----a-w-   c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-06-04 01:59   103720   ------w-   c:\program files\CyberLink\Power2Go\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ----a-w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
2001-12-20 13:42   35328   ----a-w-   c:\progra~1\Logitech\MOUSEW~1\system\EM_EXEC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2005-08-01 12:05   94208   ----a-w-   c:\program files\Lexmark 2300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2010-03-11 08:36   557056   ----a-w-   c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
2005-07-21 06:07   200704   ----a-w-   c:\program files\Lexmark 2300 Series\lxcgmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39   1090952   ----a-w-   c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
2002-06-13 19:01   49152   ----a-w-   c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57   153136   ----a-w-   c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-04-01 20:16   5562368   ----a-w-   c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-04-01 20:16   86016   ----a-w-   c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-04-01 20:16   1495040   ----a-w-   c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2009-04-16 04:54   50472   ------w-   c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2009-04-16 04:52   91432   ------w-   c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43   248040   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-06-22 21:38   202256   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LXCGCATS"=rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\POPNOTE\\popnote.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\BitWise\\BitWise.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/8/2009 2:48 AM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2009 1:29 AM 19024]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]
S3 Tirminal.Client.iComObject;Tirminal.Client.iComObject;c:\windows\system32\dllhost.exe [9/3/2002 12:31 PM 5120]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-725345543-1682526488-2147238677-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-1682526488-2147238677-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-26 c:\windows\Tasks\User_Feed_Synchronization-{AED61767-9FFD-496E-AF4B-7CBD6584F5E6}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: {35EC4CE0-DBA0-48CD-8A53-38B0C72B7711} = 24.25.5.150,24.25.5.149
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-26 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh??

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1682526488-2147238677-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D0235CC1-6769-0919-DC6B-19BFFE7CBA33}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"kabeikpfedipcjihekbiif"=hex:67,61,64,65,62,6b,63,63,6d,6c,68,67,6c,6d,00,00
"kabeikpfedipcjihekbiff"=hex:66,61,6f,63,62,6b,62,6b,65,62,63,66,00,6d
.
Completion time: 2010-06-26  11:03:54
ComboFix-quarantined-files.txt  2010-06-26 15:03

Pre-Run: 43,244,216,320 bytes free
Post-Run: 43,351,588,864 bytes free

- - End Of File - - C950316139807E54A8A4B560AF4C864A
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: June 26, 2010, 10:39:10 PM »

Ok.All done.I see no more malware.This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box  and click OK.



ComboFix /Uninstall


Please read these for future reference it may save you future problems with malware:


http://www.pchelpforum.com/fixed-hijackthis-logs/59327-now-you-all-clean-afterwork.html

http://www.pchelpforum.com/fixed-hijackthis-logs/64964-so-you-want-prevent-happening.html

http://www.pchelpforum.com/fixed-hijackthis-logs/57400-how-did-i-get-infected.html

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
=============================


This will help clean up your system.

Please download ATF Cleaner by Atribune. http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.
Logged

An Australian Member of

EDDY
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #8 on: June 27, 2010, 01:57:08 AM »

My hero as always!  Thanks for your help, Pancake   Grin
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: June 27, 2010, 10:31:06 PM »

Your welcome.Glad to help.
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page May 22, 2018, 08:25:20 PM