1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Odd .dll files and Nameserver Problems

Discussion in 'Virus & Other Malware Removal' started by Zedrik, May 9, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Zedrik

    Zedrik Thread Starter

    Joined:
    May 9, 2008
    Messages:
    14
    The other day Google wasn't working. So I checked hijack this and noticed to odd .dll files being loaded.

    khneiibv.dll,b
    xlahfyaq.dll,s

    And a nameserver entry directing to a IP I don't know.

    12.109.94.4
    12.109.94.5

    I logged out of that XP account and logged in another and it said it failed to load the .dll files due to lack of permissions. So I deleted the .dll files. Used hijack this to fix those three entries and all seemed well.

    Until tonight. Two new odd .dll files were on the system and the nameserver was back directing to the same IPs. I repeated the procedure from the other day and all seemed well at first. But now random sites keep coming back with "Server not found" errors and the nameserver entry randomly comes back in hijack this. More and more sites keep getting this error as I search for a solution, even sites I'd been on just recently.

    I don't know what to do now. Hopefully someone can help me.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 03:38:55, on 5/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.20583)
    Boot mode: Normal

    Running processes:
    I:\WINDOWS\System32\smss.exe
    I:\WINDOWS\system32\winlogon.exe
    I:\WINDOWS\system32\services.exe
    I:\WINDOWS\system32\lsass.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\System32\svchost.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\system32\brsvc01a.exe
    I:\WINDOWS\system32\spoolsv.exe
    I:\WINDOWS\system32\brss01a.exe
    I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    I:\WINDOWS\system32\nvsvc32.exe
    I:\WINDOWS\Explorer.EXE
    I:\WINDOWS\system32\pctspk.exe
    I:\WINDOWS\system32\RUNDLL32.EXE
    I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    I:\WINDOWS\system32\ctfmon.exe
    I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    I:\Program Files\Mozilla Firefox\firefox.exe
    I:\Program Files\Windows Live\Messenger\usnsvc.exe
    I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: Download with GetRight - I:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - I:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - I:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
     
  2. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)


    Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
    1. Close all applications and windows.
    2. Go to Start ---> Run ---> Type "%userprofile%\Desktop\dss.exe" /config and press Enter.
    3. Check the following additional scans:
      • Drivers
      • Services
      • Process Modules
    4. Click Ok and follow the prompts.
    5. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
    6. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
    7. Please attach extra.txt to your post.
    What DSS will do:
    • create a new System Restore point in Windows XP and Vista.
    • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
    • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
     
  3. Zedrik

    Zedrik Thread Starter

    Joined:
    May 9, 2008
    Messages:
    14
    Deckard's System Scanner v20071014.68
    Run by Jason on 2008-05-10 13:52:27
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    44: 2008-05-10 17:53:11 UTC - RP44 - Deckard's System Scanner Restore Point
    43: 2008-05-10 17:39:31 UTC - RP43 - Removed TubeHunter Ultra
    42: 2008-05-08 20:41:33 UTC - RP42 - System Checkpoint
    41: 2008-05-10 17:39:25 UTC - RP41 - Installed Java(TM) 6 Update 5
    40: 2008-05-07 04:17:13 UTC - RP40 - Last known good configuration


    -- First Restore Point --
    1: 2008-05-07 04:17:02 UTC - RP1 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Jason.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:54:28, on 5/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.20583)
    Boot mode: Normal

    Running processes:
    I:\WINDOWS\System32\smss.exe
    I:\WINDOWS\system32\winlogon.exe
    I:\WINDOWS\system32\services.exe
    I:\WINDOWS\system32\lsass.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\System32\svchost.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\system32\brsvc01a.exe
    I:\WINDOWS\system32\spoolsv.exe
    I:\WINDOWS\system32\brss01a.exe
    I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    I:\WINDOWS\system32\nvsvc32.exe
    I:\WINDOWS\Explorer.EXE
    I:\WINDOWS\system32\pctspk.exe
    I:\WINDOWS\system32\RUNDLL32.EXE
    I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    I:\WINDOWS\system32\ctfmon.exe
    I:\Program Files\Mozilla Firefox\firefox.exe
    I:\WINDOWS\system32\rundll32.exe
    I:\WINDOWS\system32\rundll32.exe
    I:\Program Files\Trend Micro\dss.exe
    I:\PROGRA~1\TRENDM~1\HIJACK~1\Jason.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - I:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {D3A21DF4-3FAC-4330-AF11-3B7698F5BFCB} - I:\WINDOWS\system32\vtUnLDTm.dll
    O2 - BHO: (no name) - {e9770fc1-0d3a-4e51-8f7a-118c5f881ebd} - I:\WINDOWS\system32\bkbjsxhq.dll
    O2 - BHO: (no name) - {F7F6584C-864B-411D-A410-BB2DE0D33CA1} - I:\WINDOWS\system32\cbXNETjJ.dll
    O2 - BHO: {0af8e135-f287-3749-6a84-13228ad95cdf} - {fdc59da8-2231-48a6-9473-782f531e8fa0} - I:\WINDOWS\system32\ydwnbmys.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [BM6f502855] Rundll32.exe "I:\WINDOWS\system32\uudxcoeo.dll",s
    O4 - HKLM\..\Run: [000000af] rundll32.exe "I:\WINDOWS\system32\wfjlbdqk.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: Download with GetRight - I:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - I:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - I:\Program Files\Yahoo!\Common\yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    O20 - Winlogon Notify: cbXNETjJ - I:\WINDOWS\SYSTEM32\cbXNETjJ.dll
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - I:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5771 bytes

    -- HijackThis Fixed Entries (I:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

    backup-20080314-143736-880 O4 - HKCU\..\Run: [BitTorrent DNA] "I:\Program Files\DNA\btdna.exe"
    backup-20080314-143806-772 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080507-001122-290 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    backup-20080507-001122-726 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080507-021226-418 O4 - HKLM\..\Run: [runner1] I:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
    backup-20080507-062630-455 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080507-160458-229 O4 - HKLM\..\Run: [000000af] rundll32.exe "I:\WINDOWS\system32\khneiibv.dll",b
    backup-20080507-160458-834 O4 - HKLM\..\Run: [BM6f502855] Rundll32.exe "I:\WINDOWS\system32\xlahfyaq.dll",s
    backup-20080507-160548-942 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080507-162246-345 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080507-164645-472 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080507-173230-494 O4 - HKLM\..\Run: [BM6f502855] Rundll32.exe "I:\WINDOWS\system32\xlahfyaq.dll",s
    backup-20080507-173241-420 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080507-173420-548 O4 - HKLM\..\Run: [BM6f502855] Rundll32.exe "I:\WINDOWS\system32\xlahfyaq.dll",s
    backup-20080509-001552-718 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080509-002009-518 O4 - HKLM\..\Run: [000000af] rundll32.exe "I:\WINDOWS\system32\vlxxomdj.dll",b
    backup-20080509-002009-601 O4 - HKLM\..\Run: [BM6f502855] Rundll32.exe "I:\WINDOWS\system32\xdnqunak.dll",s
    backup-20080509-002430-216 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080509-003750-168 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080509-023242-482 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080509-024155-766 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080509-030317-203 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080509-035747-545 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080509-145015-825 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    backup-20080509-163412-547 O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4

    -- File Associations -----------------------------------------------------------

    .cpl - cplfile - shell\runas\command - unable to read value


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    All drivers whitelisted.


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    All services whitelisted.


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: USB Device
    Device ID: USB\VID_04F9&PID_0169&MI_01\6&262CA655&0&0001
    Manufacturer:
    Name: USB Device
    PNP Device ID: USB\VID_04F9&PID_0169&MI_01\6&262CA655&0&0001
    Service:

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
    Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&68
    Manufacturer: Realtek
    Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
    PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&68
    Service: rtl8139


    -- Files created between 2008-04-10 and 2008-05-10 -----------------------------

    2008-05-10 13:53:52 2112 --a------ I:\WINDOWS\system32\fwnolcam.exe
    2008-05-10 13:51:15 91712 --a------ I:\WINDOWS\system32\wfjlbdqk.dll
    2008-05-10 13:50:53 100416 --a------ I:\WINDOWS\system32\uudxcoeo.dll
    2008-05-10 13:45:00 102464 --a------ I:\WINDOWS\system32\ydwnbmys.dll
    2008-05-10 13:44:56 2112 --a------ I:\WINDOWS\system32\kpajptit.exe
    2008-05-10 13:41:53 91712 -----n--- I:\WINDOWS\system32\drwbyevg.dll
    2008-05-09 16:37:36 0 dr-h----- I:\Documents and Settings\Troubleshooter\Recent
    2008-05-09 16:36:52 0 dr-h----- I:\Documents and Settings\Jason\Recent
    2008-05-09 15:11:37 0 d-------- I:\Program Files\Yahoo!
    2008-05-09 15:11:29 0 d-------- I:\Program Files\CCleaner
    2008-05-09 04:00:43 0 d-------- I:\Documents and Settings\Troubleshooter\Application Data\Macromedia
    2008-05-09 04:00:43 0 d-------- I:\Documents and Settings\Troubleshooter\Application Data\Adobe
    2008-05-09 03:54:29 0 d-------- I:\Documents and Settings\Troubleshooter\Application Data\Talkback
    2008-05-09 03:53:16 0 d-------- I:\Documents and Settings\Troubleshooter\Contacts
    2008-05-09 03:52:55 0 d-------- I:\Documents and Settings\Troubleshooter\Application Data\Mozilla
    2008-05-09 03:46:25 0 d--h----- I:\Documents and Settings\Troubleshooter\Templates
    2008-05-09 03:46:25 0 dr------- I:\Documents and Settings\Troubleshooter\Start Menu
    2008-05-09 03:46:25 0 dr-h----- I:\Documents and Settings\Troubleshooter\SendTo
    2008-05-09 03:46:25 0 d--h----- I:\Documents and Settings\Troubleshooter\PrintHood
    2008-05-09 03:46:25 0 d--h----- I:\Documents and Settings\Troubleshooter\NetHood
    2008-05-09 03:46:25 0 dr------- I:\Documents and Settings\Troubleshooter\My Documents
    2008-05-09 03:46:25 0 d--h----- I:\Documents and Settings\Troubleshooter\Local Settings
    2008-05-09 03:46:25 0 dr------- I:\Documents and Settings\Troubleshooter\Favorites
    2008-05-09 03:46:25 0 d-------- I:\Documents and Settings\Troubleshooter\Desktop
    2008-05-09 03:46:25 0 d--hs---- I:\Documents and Settings\Troubleshooter\Cookies
    2008-05-09 03:46:25 0 dr-h----- I:\Documents and Settings\Troubleshooter\Application Data
    2008-05-09 03:46:25 0 d---s---- I:\Documents and Settings\Troubleshooter\Application Data\Microsoft
    2008-05-09 03:46:24 786432 --ah----- I:\Documents and Settings\Troubleshooter\NTUSER.DAT
    2008-05-09 00:20:43 0 dr-h----- I:\Documents and Settings\Linda\Recent
    2008-05-08 17:22:40 2112 --a------ I:\WINDOWS\system32\iqremexx.exe
    2008-05-07 16:05:43 106560 --a------ I:\WINDOWS\system32\bkbjsxhq.dll
    2008-05-07 16:02:46 2112 --a------ I:\WINDOWS\system32\krcopkus.exe
    2008-05-07 00:16:51 1037749 --ahs---- I:\WINDOWS\system32\mTDLnUtv.ini2
    2008-05-07 00:15:10 281600 --a------ I:\WINDOWS\system32\vtUnLDTm.dll
    2008-05-07 00:10:35 37376 --a------ I:\WINDOWS\mrofinu1535.exe
    2008-05-07 00:10:03 41984 --a------ I:\WINDOWS\system32\cbXNETjJ.dll
    2008-05-06 15:01:01 0 d-------- I:\WINDOWS\Downloaded Installations
    2008-04-22 00:16:17 0 d-------- I:\WINDOWS\system32\DirectX
    2008-04-22 00:10:34 0 d-------- I:\WINDOWS\UFO Extraterrestrials
    2008-04-22 00:10:34 0 d-------- I:\Program Files\Tri Synergy
    2008-04-17 04:35:45 0 d-------- I:\Program Files\LView Pro 21
    2008-04-17 04:25:46 0 d-------- I:\Program Files\LView Pro 2006 - Trial Version
    2008-04-10 19:44:37 0 d-------- I:\Documents and Settings\Jason\Application Data\Apple Computer


    -- Find3M Report ---------------------------------------------------------------

    2008-05-10 13:56:52 102464 --a------ I:\WINDOWS\system32\mnkghylw.dll
    2008-05-10 13:52:08 0 d-------- I:\Program Files\Trend Micro
    2008-05-10 13:41:06 1536 --a------ I:\WINDOWS\system32\TrueSoft.dat
    2008-05-09 15:11:03 0 d-------- I:\Program Files\GetRight
    2008-05-06 00:57:44 0 d-------- I:\Documents and Settings\Jason\Application Data\LimeWire
    2008-05-01 15:43:19 0 d-------- I:\Program Files\City of Heroes
    2008-04-04 01:48:56 0 d-------- I:\Program Files\QuickTime
    2008-04-04 01:48:08 0 d-------- I:\Program Files\Apple Software Update
    2008-03-19 15:04:15 0 d-------- I:\Program Files\3ML Editor
    2008-03-18 20:23:58 0 d-------- I:\Program Files\Common Files\INCA Shared
    2008-03-17 18:06:00 0 d-------- I:\Program Files\EA GAMES
    2008-03-13 15:31:35 0 d-------- I:\Documents and Settings\Jason\Application Data\DNA
    2008-03-13 02:00:35 0 d-------- I:\Documents and Settings\Jason\Application Data\BitTorrent
    2008-03-12 10:58:05 0 d-------- I:\Program Files\DNA
    2008-02-17 05:23:57 82774 --a------ I:\WINDOWS\Uninstall Jade Empire.exe <Not Verified; BioWare Corp.; Jade Empire>


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3A21DF4-3FAC-4330-AF11-3B7698F5BFCB}]
    05/07/2008 00:16 281600 --a------ I:\WINDOWS\system32\vtUnLDTm.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9770fc1-0d3a-4e51-8f7a-118c5f881ebd}]
    05/07/2008 16:06 106560 --a------ I:\WINDOWS\system32\bkbjsxhq.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7F6584C-864B-411D-A410-BB2DE0D33CA1}]
    05/07/2008 00:10 41984 --a------ I:\WINDOWS\system32\cbXNETjJ.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{faa1e774-ffdf-4418-a611-47eaf47a314b}]
    05/10/2008 13:56 102464 --a------ I:\WINDOWS\system32\mnkghylw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PCTVOICE"="pctspk.exe" [07/09/2002 22:49 I:\WINDOWS\system32\pctspk.exe]
    "NeroFilterCheck"="I:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 06:50]
    "Adobe Reader Speed Launcher"="I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 23:16]
    "NvCplDaemon"="I:\WINDOWS\system32\NvCpl.dll" [10/29/2007 16:57]
    "nwiz"="nwiz.exe" [10/29/2007 16:57 I:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="I:\WINDOWS\system32\NvMcTray.dll" [10/29/2007 16:57]
    "SunJavaUpdateSched"="I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11]
    "QuickTime Task"="I:\Program Files\QuickTime\QTTask.exe" [01/31/2008 23:13]
    "BM6f502855"="I:\WINDOWS\system32\uudxcoeo.dll" [05/10/2008 13:51]
    "000000af"="I:\WINDOWS\system32\wfjlbdqk.dll" [05/10/2008 13:51]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [08/03/2004 19:56]
    "MsnMsgr"="I:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    "ShowDeskFix"=regsvr32 /s /n /i:u shell32

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoDesktopCleanupWizard"=1 (0x1)
    "HideRunAsVerb"=1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"=1 (0x1)
    "NoResolveTrack"=1 (0x1)
    "LinkResolveIgnoreLinkInfo"=1 (0x1)
    "NoResolveSearch"=1 (0x1)
    "ClearRecentDocsOnExit"=1 (0x1)
    "NoStartBanner"=1 (0x1)
    "NoSMConfigurePrograms"=1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"=1 (0x1)
    "NoResolveTrack"=1 (0x1)
    "LinkResolveIgnoreLinkInfo"=1 (0x1)
    "NoResolveSearch"=1 (0x1)
    "ClearRecentDocsOnExit"=1 (0x1)
    "NoStartBanner"=1 (0x1)
    "NoSMConfigurePrograms"=1 (0x1)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= I:\Program Files\Qualcomm\Eudora\EuShlExt.dll [08/17/2006 15:57 86016]
    "{F7F6584C-864B-411D-A410-BB2DE0D33CA1}"= I:\WINDOWS\system32\cbXNETjJ.dll [05/07/2008 00:10 41984]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXNETjJ]
    cbXNETjJ.dll 05/07/2008 00:10 41984 I:\WINDOWS\system32\cbXNETjJ.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 I:\WINDOWS\system32\vtUnLDTm

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalService WebClient LmHosts upnphost SSDPSRV




    -- End of Deckard's System Scanner: finished at 2008-05-10 14:01:03 ------------
     

    Attached Files:

  4. Zedrik

    Zedrik Thread Starter

    Joined:
    May 9, 2008
    Messages:
    14
    Haven't been able to access the internet the last few days because of issues with the phone company. I seem to have been able to deal with the other problems, but the Nameserver issue keeps popping up.

    New Hijack This log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:55:25, on 5/13/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.20583)
    Boot mode: Normal

    Running processes:
    I:\WINDOWS\System32\smss.exe
    I:\WINDOWS\system32\winlogon.exe
    I:\WINDOWS\system32\services.exe
    I:\WINDOWS\system32\lsass.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\System32\svchost.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\system32\brsvc01a.exe
    I:\WINDOWS\system32\spoolsv.exe
    I:\WINDOWS\system32\brss01a.exe
    I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    I:\WINDOWS\system32\nvsvc32.exe
    I:\WINDOWS\Explorer.EXE
    I:\WINDOWS\system32\pctspk.exe
    I:\WINDOWS\system32\RUNDLL32.EXE
    I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    I:\WINDOWS\system32\ctfmon.exe
    I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    I:\Program Files\Mozilla Firefox\firefox.exe
    I:\Program Files\Windows Live\Messenger\usnsvc.exe
    I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - I:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: Download with GetRight - I:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - I:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - I:\Program Files\Yahoo!\Common\yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    O20 - Winlogon Notify: !SASWinLogon - I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: cbXNETjJ - cbXNETjJ.dll (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - I:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5436 bytes
     
  5. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Link 1
    Link 2
    Link 3


    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
  6. Zedrik

    Zedrik Thread Starter

    Joined:
    May 9, 2008
    Messages:
    14
    ComboFix 08-05-12.1 - Jason 2008-05-14 15:10:57.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.903 [GMT -4:00]
    Running from: I:\Documents and Settings\Jason\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    I:\WINDOWS\pskt.ini
    I:\WINDOWS\system32\gveybwrd.ini
    I:\WINDOWS\system32\mcrh.tmp
    I:\WINDOWS\system32\mTDLnUtv.ini
    I:\WINDOWS\system32\mTDLnUtv.ini2
    I:\WINDOWS\system32\vbiienhk.ini
    I:\WINDOWS\system32\ydwnbmys.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
    .

    2008-05-14 15:14 . 2008-05-14 15:14 <DIR> d-------- I:\WINDOWS\system32\xircom
    2008-05-14 15:14 . 2008-05-14 15:14 <DIR> d-------- I:\WINDOWS\srchasst
    2008-05-14 15:14 . 2008-05-14 15:14 <DIR> d-------- I:\Program Files\microsoft frontpage
    2008-05-10 17:19 . 2008-05-10 17:19 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-05-10 16:49 . 2008-03-25 02:37 69,632 --a------ I:\WINDOWS\system32\javacpl.cpl
    2008-05-10 16:48 . 2008-05-10 16:48 <DIR> d-------- I:\Program Files\Common Files\Java
    2008-05-10 15:45 . 2008-05-10 15:45 <DIR> d-------- I:\Program Files\Malwarebytes' Anti-Malware
    2008-05-10 15:45 . 2008-05-10 15:45 <DIR> d-------- I:\Documents and Settings\Jason\Application Data\Malwarebytes
    2008-05-10 15:45 . 2008-05-10 15:45 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-05-10 15:45 . 2008-05-05 20:46 27,048 --a------ I:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-05-10 15:45 . 2008-05-05 20:46 15,864 --a------ I:\WINDOWS\system32\drivers\mbam.sys
    2008-05-10 15:12 . 2008-05-10 15:12 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-05-10 15:11 . 2008-05-10 15:11 <DIR> d-------- I:\Program Files\SUPERAntiSpyware
    2008-05-10 15:11 . 2008-05-10 15:11 <DIR> d-------- I:\Program Files\Common Files\Wise Installation Wizard
    2008-05-10 15:11 . 2008-05-10 15:11 <DIR> d-------- I:\Documents and Settings\Jason\Application Data\SUPERAntiSpyware.com
    2008-05-10 13:53 . 2008-05-10 13:53 2,112 --a------ I:\WINDOWS\system32\fwnolcam.exe
    2008-05-10 13:51 . 2008-05-10 13:51 <DIR> d-------- I:\Deckard
    2008-05-10 13:44 . 2008-05-10 13:44 2,112 --a------ I:\WINDOWS\system32\kpajptit.exe
    2008-05-09 15:11 . 2008-05-09 15:11 <DIR> d-------- I:\Program Files\Yahoo!
    2008-05-09 15:11 . 2008-05-09 15:12 <DIR> d-------- I:\Program Files\CCleaner
    2008-05-09 03:54 . 2008-05-09 03:54 <DIR> d-------- I:\Documents and Settings\Troubleshooter\Application Data\Talkback
    2008-05-09 03:53 . 2008-05-09 03:53 <DIR> d-------- I:\Documents and Settings\Troubleshooter\Contacts
    2008-05-09 03:46 . 2008-05-10 14:34 <DIR> d-------- I:\Documents and Settings\Troubleshooter
    2008-05-09 03:46 . 2004-08-03 19:56 221,184 --a------ I:\WINDOWS\system32\wmpns.dll
    2008-05-09 03:46 . 2008-05-14 15:14 1,024 --ah----- I:\Documents and Settings\Troubleshooter\ntuser.dat.LOG
    2008-05-09 02:57 . 2008-05-09 03:01 <DIR> d-------- I:\fixwareout
    2008-05-08 17:28 . 2008-05-08 17:28 294 ---hs---- I:\WINDOWS\system32\jdmoxxlv.ini
    2008-05-08 17:22 . 2008-05-08 17:22 2,112 --a------ I:\WINDOWS\system32\iqremexx.exe
    2008-05-07 16:02 . 2008-05-07 16:02 2,112 --a------ I:\WINDOWS\system32\krcopkus.exe
    2008-05-07 15:57 . 2008-05-10 14:30 109,827 --a------ I:\WINDOWS\BM6f502855.xml
    2008-05-06 15:01 . 2008-05-06 15:01 <DIR> d-------- I:\WINDOWS\Downloaded Installations
    2008-04-22 00:10 . 2008-04-22 00:10 <DIR> d-------- I:\WINDOWS\UFO Extraterrestrials
    2008-04-22 00:10 . 2008-04-22 00:10 <DIR> d-------- I:\Program Files\Tri Synergy
    2008-04-17 04:35 . 2007-04-20 06:30 <DIR> d-------- I:\Program Files\LView Pro 21

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-14 19:10 --------- d-----w I:\Program Files\GetRight
    2008-05-13 18:23 --------- d-----w I:\Program Files\City of Heroes
    2008-05-10 20:49 --------- d-----w I:\Program Files\Java
    2008-05-10 17:52 --------- d-----w I:\Program Files\Trend Micro
    2008-05-08 00:30 98,304 ----a-w I:\WINDOWS\DUMP4074.tmp
    2008-05-06 04:57 --------- d-----w I:\Documents and Settings\Jason\Application Data\LimeWire
    2008-05-03 01:38 98,304 ----a-w I:\WINDOWS\DUMP3b34.tmp
    2008-04-13 04:16 98,304 ----a-w I:\WINDOWS\DUMP3af5.tmp
    2008-04-10 23:44 --------- d-----w I:\Documents and Settings\Jason\Application Data\Apple Computer
    2008-04-04 05:48 --------- d-----w I:\Program Files\QuickTime
    2008-04-04 05:48 --------- d-----w I:\Program Files\Apple Software Update
    2008-04-04 05:48 --------- d-----w I:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-04-04 05:48 --------- d-----w I:\Documents and Settings\All Users\Application Data\Apple
    2008-03-19 19:04 --------- d-----w I:\Program Files\3ML Editor
    2008-03-19 00:23 --------- d-----w I:\Program Files\Common Files\INCA Shared
    2008-03-17 22:15 107,888 ----a-w I:\WINDOWS\system32\CmdLineExt.dll
    2008-03-17 22:06 --------- d-----w I:\Program Files\EA GAMES
    2008-02-26 09:17 98,304 ----a-w I:\WINDOWS\DUMP491e.tmp
    2008-02-17 09:23 82,774 ----a-w I:\WINDOWS\Uninstall Jade Empire.exe
    2008-02-05 23:00 16,384 --sha-w I:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    2008-02-05 23:00 32,768 --sha-w I:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    2008-02-05 23:00 32,768 --sha-w I:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008020520080206\index.dat
    2008-02-05 23:00 32,768 --sha-w I:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .

    ------- Sigcheck -------

    2007-06-27 14:42 360704 a11391be25035570ae4b8970920f2c74 I:\WINDOWS\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:56 15360]
    "MsnMsgr"="I:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
    "SUPERAntiSpyware"="I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PCTVOICE"="pctspk.exe" [2002-07-09 22:49 167936 I:\WINDOWS\system32\pctspk.exe]
    "NeroFilterCheck"="I:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 06:50 155648]
    "Adobe Reader Speed Launcher"="I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
    "NvCplDaemon"="I:\WINDOWS\system32\NvCpl.dll" [2007-10-29 16:57 8466432]
    "nwiz"="nwiz.exe" [2007-10-29 16:57 1626112 I:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="I:\WINDOWS\system32\NvMcTray.dll" [2007-10-29 16:57 81920]
    "QuickTime Task"="I:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
    "SunJavaUpdateSched"="I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2007-06-24 03:41 124928 I:\WINDOWS\system32\advpack.dll]
    "ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoDesktopCleanupWizard"= 1 (0x1)
    "HideRunAsVerb"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= I:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 15:57 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= I:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    I:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 I:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXNETjJ]
    cbXNETjJ.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "I:\\Program Files\\NeverwinterNights\\NWN\\nwmain.exe"=
    "I:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "I:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "I:\\Program Files\\LimeWire\\LimeWire.exe"=
    "I:\\Program Files\\DNA\\btdna.exe"=

    R2 npkcmsvc;npkcmsvc;I:\Program File\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);I:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 03:39]

    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-14 15:15:08
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    I:\WINDOWS\system32\brss01a.exe
    I:\WINDOWS\system32\nvsvc32.exe
    I:\WINDOWS\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2008-05-14 15:17:33 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-05-14 19:17:28

    Pre-Run: 108,109,107,200 bytes free
    Post-Run: 108,079,382,528 bytes free

    161

    ---------------------------------------------------------------------------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:22:01, on 5/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.20583)
    Boot mode: Normal

    Running processes:
    I:\WINDOWS\System32\smss.exe
    I:\WINDOWS\system32\winlogon.exe
    I:\WINDOWS\system32\services.exe
    I:\WINDOWS\system32\lsass.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\System32\svchost.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\system32\spoolsv.exe
    I:\WINDOWS\system32\brss01a.exe
    I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    I:\WINDOWS\system32\nvsvc32.exe
    I:\WINDOWS\system32\pctspk.exe
    I:\WINDOWS\system32\RUNDLL32.EXE
    I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    I:\WINDOWS\system32\ctfmon.exe
    I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    I:\WINDOWS\explorer.exe
    I:\WINDOWS\system32\notepad.exe
    I:\Program Files\Mozilla Firefox\firefox.exe
    I:\Program Files\Windows Live\Messenger\usnsvc.exe
    I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - I:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: Download with GetRight - I:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - I:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - I:\Program Files\Yahoo!\Common\yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    O20 - Winlogon Notify: !SASWinLogon - I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: cbXNETjJ - cbXNETjJ.dll (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - I:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Indexing Service (CiSvc) - Unknown owner - I:\WINDOWS\system32\cisvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - I:\WINDOWS\System32\ups.exe (file missing)

    --
    End of file - 5465 bytes
     
  7. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Download the attached file CFScript.txt to your Desktop


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall



    Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!



    How is everything running??
     

    Attached Files:

  8. Zedrik

    Zedrik Thread Starter

    Joined:
    May 9, 2008
    Messages:
    14
    Everything seems to be running fine. Due to problems with the phone company I've not been able to spend a lot of time online, but there doesn't appear to be much of a problem anymore except the nameserver entry appearing in the logs.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:46:15, on 5/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.20583)
    Boot mode: Normal

    Running processes:
    I:\WINDOWS\System32\smss.exe
    I:\WINDOWS\system32\winlogon.exe
    I:\WINDOWS\system32\services.exe
    I:\WINDOWS\system32\lsass.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\System32\svchost.exe
    I:\WINDOWS\system32\svchost.exe
    I:\WINDOWS\system32\spoolsv.exe
    I:\WINDOWS\system32\brss01a.exe
    I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    I:\WINDOWS\system32\nvsvc32.exe
    I:\WINDOWS\system32\pctspk.exe
    I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    I:\WINDOWS\system32\ctfmon.exe
    I:\Program Files\Windows Live\Messenger\usnsvc.exe
    I:\WINDOWS\system32\notepad.exe
    I:\WINDOWS\explorer.exe
    I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - I:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: Download with GetRight - I:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - I:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - I:\Program Files\Yahoo!\Common\yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E0866823-99AE-4F4E-A7E0-B12953A7B6C1}: NameServer = 12.109.94.5 12.109.94.4
    O20 - Winlogon Notify: !SASWinLogon - I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - I:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Indexing Service (CiSvc) - Unknown owner - I:\WINDOWS\system32\cisvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - I:\Program File\Nexon\Mabinogi\npkcmsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - I:\WINDOWS\System32\ups.exe (file missing)

    --
    End of file - 5213 bytes


    ComboFix 08-05-12.1 - Jason 2008-05-15 1:42:40.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.974 [GMT -4:00]
    Running from: I:\Documents and Settings\Jason\Desktop\ComboFix.exe
    Command switches used :: I:\Documents and Settings\Jason\Desktop\cfscript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    I:\WINDOWS\system32\fwnolcam.exe
    I:\WINDOWS\system32\iqremexx.exe
    I:\WINDOWS\system32\jdmoxxlv.ini
    I:\WINDOWS\system32\kpajptit.exe
    I:\WINDOWS\system32\krcopkus.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    I:\WINDOWS\system32\fwnolcam.exe
    I:\WINDOWS\system32\iqremexx.exe
    I:\WINDOWS\system32\jdmoxxlv.ini
    I:\WINDOWS\system32\kpajptit.exe
    I:\WINDOWS\system32\krcopkus.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
    .

    2008-05-14 15:14 . 2008-05-14 15:14 <DIR> d-------- I:\WINDOWS\system32\xircom
    2008-05-14 15:14 . 2008-05-14 15:14 <DIR> d-------- I:\WINDOWS\srchasst
    2008-05-14 15:14 . 2008-05-14 15:14 <DIR> d-------- I:\Program Files\microsoft frontpage
    2008-05-10 17:19 . 2008-05-10 17:19 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-05-10 16:49 . 2008-03-25 02:37 69,632 --a------ I:\WINDOWS\system32\javacpl.cpl
    2008-05-10 16:48 . 2008-05-10 16:48 <DIR> d-------- I:\Program Files\Common Files\Java
    2008-05-10 15:45 . 2008-05-10 15:45 <DIR> d-------- I:\Program Files\Malwarebytes' Anti-Malware
    2008-05-10 15:45 . 2008-05-10 15:45 <DIR> d-------- I:\Documents and Settings\Jason\Application Data\Malwarebytes
    2008-05-10 15:45 . 2008-05-10 15:45 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-05-10 15:45 . 2008-05-05 20:46 27,048 --a------ I:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-05-10 15:45 . 2008-05-05 20:46 15,864 --a------ I:\WINDOWS\system32\drivers\mbam.sys
    2008-05-10 15:12 . 2008-05-10 15:12 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-05-10 15:11 . 2008-05-10 15:11 <DIR> d-------- I:\Program Files\SUPERAntiSpyware
    2008-05-10 15:11 . 2008-05-10 15:11 <DIR> d-------- I:\Program Files\Common Files\Wise Installation Wizard
    2008-05-10 15:11 . 2008-05-10 15:11 <DIR> d-------- I:\Documents and Settings\Jason\Application Data\SUPERAntiSpyware.com
    2008-05-10 13:51 . 2008-05-10 13:51 <DIR> d-------- I:\Deckard
    2008-05-09 15:11 . 2008-05-09 15:11 <DIR> d-------- I:\Program Files\Yahoo!
    2008-05-09 15:11 . 2008-05-09 15:12 <DIR> d-------- I:\Program Files\CCleaner
    2008-05-09 03:54 . 2008-05-09 03:54 <DIR> d-------- I:\Documents and Settings\Troubleshooter\Application Data\Talkback
    2008-05-09 03:53 . 2008-05-09 03:53 <DIR> d-------- I:\Documents and Settings\Troubleshooter\Contacts
    2008-05-09 03:46 . 2008-05-10 14:34 <DIR> d-------- I:\Documents and Settings\Troubleshooter
    2008-05-09 03:46 . 2004-08-03 19:56 221,184 --a------ I:\WINDOWS\system32\wmpns.dll
    2008-05-09 03:46 . 2008-05-15 01:34 1,024 --ah----- I:\Documents and Settings\Troubleshooter\ntuser.dat.LOG
    2008-05-09 02:57 . 2008-05-09 03:01 <DIR> d-------- I:\fixwareout
    2008-05-07 15:57 . 2008-05-10 14:30 109,827 --a------ I:\WINDOWS\BM6f502855.xml
    2008-05-06 15:01 . 2008-05-06 15:01 <DIR> d-------- I:\WINDOWS\Downloaded Installations
    2008-04-22 00:10 . 2008-04-22 00:10 <DIR> d-------- I:\WINDOWS\UFO Extraterrestrials
    2008-04-22 00:10 . 2008-04-22 00:10 <DIR> d-------- I:\Program Files\Tri Synergy
    2008-04-17 04:35 . 2007-04-20 06:30 <DIR> d-------- I:\Program Files\LView Pro 21

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-14 19:10 --------- d-----w I:\Program Files\GetRight
    2008-05-13 18:23 --------- d-----w I:\Program Files\City of Heroes
    2008-05-10 20:49 --------- d-----w I:\Program Files\Java
    2008-05-10 17:52 --------- d-----w I:\Program Files\Trend Micro
    2008-05-08 00:30 98,304 ----a-w I:\WINDOWS\DUMP4074.tmp
    2008-05-06 04:57 --------- d-----w I:\Documents and Settings\Jason\Application Data\LimeWire
    2008-05-03 01:38 98,304 ----a-w I:\WINDOWS\DUMP3b34.tmp
    2008-04-13 04:16 98,304 ----a-w I:\WINDOWS\DUMP3af5.tmp
    2008-04-10 23:44 --------- d-----w I:\Documents and Settings\Jason\Application Data\Apple Computer
    2008-04-04 05:48 --------- d-----w I:\Program Files\QuickTime
    2008-04-04 05:48 --------- d-----w I:\Program Files\Apple Software Update
    2008-04-04 05:48 --------- d-----w I:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-04-04 05:48 --------- d-----w I:\Documents and Settings\All Users\Application Data\Apple
    2008-03-19 19:04 --------- d-----w I:\Program Files\3ML Editor
    2008-03-19 00:23 --------- d-----w I:\Program Files\Common Files\INCA Shared
    2008-03-17 22:15 107,888 ----a-w I:\WINDOWS\system32\CmdLineExt.dll
    2008-03-17 22:06 --------- d-----w I:\Program Files\EA GAMES
    2008-02-26 09:17 98,304 ----a-w I:\WINDOWS\DUMP491e.tmp
    2008-02-17 09:23 82,774 ----a-w I:\WINDOWS\Uninstall Jade Empire.exe
    2008-02-05 23:00 16,384 --sha-w I:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    2008-02-05 23:00 32,768 --sha-w I:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    2008-02-05 23:00 32,768 --sha-w I:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008020520080206\index.dat
    2008-02-05 23:00 32,768 --sha-w I:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .

    ------- Sigcheck -------

    2007-06-27 14:42 360704 a11391be25035570ae4b8970920f2c74 I:\WINDOWS\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((( [email protected]_15.17.13.48 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-05-14 19:14:37 2,048 --s-a-w I:\WINDOWS\bootstat.dat
    + 2008-05-15 05:34:15 2,048 --s-a-w I:\WINDOWS\bootstat.dat
    - 2008-05-14 18:59:47 1,536 ----a-w I:\WINDOWS\system32\TrueSoft.dat
    + 2008-05-15 05:34:35 1,536 ----a-w I:\WINDOWS\system32\TrueSoft.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:56 15360]
    "MsnMsgr"="I:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
    "SUPERAntiSpyware"="I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PCTVOICE"="pctspk.exe" [2002-07-09 22:49 167936 I:\WINDOWS\system32\pctspk.exe]
    "NeroFilterCheck"="I:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 06:50 155648]
    "Adobe Reader Speed Launcher"="I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
    "NvCplDaemon"="I:\WINDOWS\system32\NvCpl.dll" [2007-10-29 16:57 8466432]
    "nwiz"="nwiz.exe" [2007-10-29 16:57 1626112 I:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="I:\WINDOWS\system32\NvMcTray.dll" [2007-10-29 16:57 81920]
    "QuickTime Task"="I:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
    "SunJavaUpdateSched"="I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2007-06-24 03:41 124928 I:\WINDOWS\system32\advpack.dll]
    "ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoDesktopCleanupWizard"= 1 (0x1)
    "HideRunAsVerb"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= I:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 15:57 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= I:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    I:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 I:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "I:\\Program Files\\NeverwinterNights\\NWN\\nwmain.exe"=
    "I:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "I:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "I:\\Program Files\\LimeWire\\LimeWire.exe"=
    "I:\\Program Files\\DNA\\btdna.exe"=

    R2 npkcmsvc;npkcmsvc;I:\Program File\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);I:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 03:39]

    *Newly Created Service* - CATCHME
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-15 01:44:56
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-05-15 1:45:47
    ComboFix-quarantined-files.txt 2008-05-15 05:45:45
    ComboFix2.txt 2008-05-14 19:17:34

    Pre-Run: 108,092,030,976 bytes free
    Post-Run: 108,083,822,592 bytes free

    160
     
  9. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    How is everything running??
     
  10. Zedrik

    Zedrik Thread Starter

    Joined:
    May 9, 2008
    Messages:
    14
    Everything seems to be running fine. There doesn't appear to be much of a problem anymore except the nameserver entry appearing in the logs. Search engines work fine, I've not been noticing any redirections or anything. No weird popups.
     
  11. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Well the nameserver is needed because its related to AT&T in New Jersey. If that's not you, then please let me know.


    Go to Start ---> Run ---> Type ComboFix /u and press Enter.


    Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

    To SET A NEW RESTORE POINT:
    1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
    2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    3. Then go to Start > Run and type: Cleanmgr
    4. Click "OK".
    5. Click the "More Options" Tab.
    6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    Graphics for doing this are in the following links if you need them.
    How to Create a Restore Point.
    How to use Cleanmgr.

    ======================================

    Here is some useful information on keeping your computer clean:
    1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
    2. Here are two great Preventive programs:
      • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
      • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
    3. Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
      • Red for Warning
      • Yellow for Use Caution
      • Green for Safe
      • Grey for Unknown

      Here are the link to install SiteAdisor in Internet Explorer and Firefox
    4. Anti-Spyware Programs I Recommend:
      • Free Anti-Spyware Programs
    5. For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place
     
  12. Zedrik

    Zedrik Thread Starter

    Joined:
    May 9, 2008
    Messages:
    14
    I don't know what I would be doing with AT&T in New Jersey.
    I live in Indiana.
     
  13. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    My bad on the state that was the headquarter for AT&T. But that entry needs to stay because that's your Internet provider. I needed to look further down the report to see Indiana.
     
  14. Zedrik

    Zedrik Thread Starter

    Joined:
    May 9, 2008
    Messages:
    14
    Okay then. Cool, thanks.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/710850

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice