Trojan-downloader.conhook - Free Antivirus Forum

Trojan-downloader.conhook

BullGuard Antivirus Forum > Virus Removal > Removal Tools > Trojan-downloader.conhook

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

nv0816
New Member

Date Joined Feb 2008
Total Posts : 2

Posted 2-20-2008 4:45 (GMT +1)

I was checking out a few forums and actually found a topic on this site where a guy was having the exact problem that I am right now. I got the programs were suggested to him to aid in getting rid of the trojan, i just need some help with figuring out which items i need to fix in hijackthis and then to delete from my computer. here is the log from hijackthis, hopefully someone can help me out. thanks very much for your time and help in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:28 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Nick\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [44aae4e3] rundll32.exe "C:\WINDOWS\system32\mdlvsvuw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5738 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 2-20-2008 5:34 (GMT +1)

Hello

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

and save to the desktop.

Important-> Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Close all other browser windows.

Go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

When finished, it will produce a logfile located at C:\ComboFix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

nv0816
New Member

Date Joined Feb 2008
Total Posts : 2

Posted 2-21-2008 4:06 (GMT +1)

ComboFix 08-02-21 - Nick 2008-02-20 21:55:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1224 [GMT -8:00]
Running from: C:\Documents and Settings\Nick\desktop\combofix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Program Files\Spyware Doctor\klg.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini2
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini2
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\itnedmyo.ini
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\kgqdgfkm.ini
C:\WINDOWS\system32\mdlvsvuw.dll
C:\WINDOWS\system32\nllkevqn.dll
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\rtutv.ini2
C:\WINDOWS\system32\vtuusqn.dll
C:\WINDOWS\system32\wuvsvldm.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-19 21:50 . 2008-02-19 21:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-19 21:50 . 2008-02-19 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-19 21:41 . 2008-02-19 21:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-19 21:41 . 2008-02-19 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 21:40 . 2008-02-19 21:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 09:53 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-15 09:53 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-15 09:53 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-15 09:53 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-13 04:34 . 2007-12-19 14:57 347,136 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-02-13 04:34 . 2007-12-18 01:51 179,584 --a------ C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-02-13 04:34 . 2008-01-10 21:57 44,544 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-02-13 02:35 . 2008-02-13 02:35 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Nero
2008-02-13 02:32 . 2008-02-13 02:32 <DIR> d-------- C:\Program Files\Nero
2008-02-13 02:32 . 2008-02-13 02:33 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-02-13 02:32 . 2008-02-13 02:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-02-13 00:58 . 2008-02-13 00:58 <DIR> d-------- C:\Program Files\uTorrent
2008-02-13 00:58 . 2008-02-13 02:21 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\uTorrent
2008-02-12 06:58 . 2008-02-12 06:58 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-12 06:57 . 2008-02-12 06:57 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-12 06:55 . 2008-02-13 05:32 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-12 06:55 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-12 06:52 . 2007-10-25 19:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-02-12 06:52 . 2007-10-29 14:35 1,287,680 --a------ C:\WINDOWS\system32\dllcache\quartz.dll
2008-02-12 06:52 . 2007-11-07 01:50 727,040 --a------ C:\WINDOWS\system32\dllcache\lsasrv.dll
2008-02-12 06:52 . 2007-08-20 22:25 683,520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-02-12 06:52 . 2007-07-09 05:16 582,656 --a------ C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-12 06:49 . 2008-02-19 22:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-12 03:15 . 2008-02-12 03:15 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-02-12 03:15 . 2008-02-12 03:15 <DIR> d-------- C:\WINDOWS\srchasst
2008-02-12 03:15 . 2008-02-12 03:15 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-02-12 03:13 . 2008-02-12 03:13 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-02-12 03:12 . 2008-02-12 03:12 <DIR> d-------- C:\Program Files\Xfire
2008-02-12 03:12 . 2008-02-12 03:13 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Xfire
2008-02-12 03:11 . 2008-02-12 03:11 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Apple Computer
2008-02-12 03:11 . 2008-02-20 21:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 03:11 . 2008-02-12 03:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-12 03:10 . 2008-02-12 03:10 <DIR> d-------- C:\Program Files\QuickTime
2008-02-12 03:10 . 2008-02-12 03:10 <DIR> d-------- C:\Program Files\iTunes
2008-02-12 03:10 . 2008-02-12 03:10 <DIR> d-------- C:\Program Files\iPod
2008-02-12 03:10 . 2008-02-12 03:10 <DIR> d-------- C:\Program Files\Bonjour
2008-02-12 03:09 . 2008-02-12 03:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-12 03:09 . 2008-02-12 03:09 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-12 03:09 . 2008-02-12 03:09 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-12 03:09 . 2008-02-12 03:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-12 02:56 . 2008-02-12 02:56 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-12 02:54 . 2008-02-12 03:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-12 02:49 . 2008-02-13 05:32 <DIR> d-------- C:\Program Files\Trillian
2008-02-12 02:47 . 2008-02-12 02:47 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-12 02:38 . 2008-02-20 21:55 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-12 02:38 . 2008-02-12 02:38 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\PC Tools
2008-02-12 02:38 . 2008-02-12 03:19 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-12 02:38 . 2008-02-12 03:19 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-12 02:38 . 2008-02-12 03:19 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-12 02:38 . 2008-02-12 03:19 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2008-02-12 02:38 . 2008-02-12 03:19 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-12 02:37 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-02-12 02:37 . 2005-07-06 17:13 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-12 02:37 . 2005-07-06 17:13 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-12 01:35 . 2008-02-12 01:35 <DIR> d-------- C:\OEMSettings
2008-02-12 01:21 . 2002-04-12 10:06 73,728 --a------ C:\WINDOWS\system32\AW32n50.dll
2008-02-12 01:21 . 2002-04-11 17:43 16,194 --a------ C:\WINDOWS\system32\AWINDIS5.SYS
2008-02-12 01:20 . 2008-02-12 01:31 <DIR> d-------- C:\Program Files\MA311 PCI Adapter Configuration Utility
2008-02-12 01:20 . 2002-05-01 16:56 54,784 --a------ C:\WINDOWS\system32\drivers\ma311n51.sys
2008-02-12 01:17 . 2008-02-12 01:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{70FE9869-8D38-4EB3-8541-A735C2285CF7}
2008-02-12 01:17 . 2008-02-12 01:17 62,865 --a------ C:\WINDOWS\system32\drivers\odysseyIM3.sys
2008-02-12 01:10 . 2008-02-12 01:10 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-12 01:10 . 2008-02-12 01:21 <DIR> d-------- C:\Program Files\NETGEAR
2008-02-12 01:10 . 2005-10-06 15:17 280,576 --a------ C:\WINDOWS\system32\drivers\WG311v3XP.sys
2008-02-10 16:59 . 2004-08-03 23:01 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2008-02-10 16:59 . 2004-08-04 01:01 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-30 18:03 . 2008-01-30 18:03 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 09:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-12 09:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-11 01:44 --------- d-----w C:\Program Files\PowerISO
2008-02-11 01:43 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-11 01:43 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-02-11 01:00 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-14 03:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-07 02:01 825,344 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 17:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-12-04 02:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-05-24 22:58 249,856 ----a-w C:\WINDOWS\inf\WG311v3\InsDrv2k.exe
2006-12-04 19:38 212,992 ----a-w C:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe
2005-10-06 23:17 280,576 ----a-w C:\WINDOWS\inf\WG311v3\WG311v3XP.sys
2004-06-18 07:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 21:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 21:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1bcdd9c0-8747-4f72-874c-d6edcf492ccd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7CF6340F-0FCE-447F-AF4D-B736E606B878}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-21 17:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-06-03 20:51 131072]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-11-06 00:27 200704]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-12-06 18:01 124928 C:\WINDOWS\system32\advpack.dll]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe [2007-09-17 16:01:44 1507328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhecc]
mljhecc.dll

R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2008-02-12 01:17]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-04-11 17:43]

*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 11:09:49 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 21:57:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-20 21:58:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-21 05:58:10
.
2008-02-13 13:33:41 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Nick\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: mljhecc - mljhecc.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 5581 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 2-21-2008 9:23 (GMT +1)

Open notepad and copy/paste the text in the quote box below into it:

Quote:

-----------------------------------------------------

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1bcdd9c0-8747-4f72-874c-d6edcf492ccd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7CF6340F-0FCE-447F-AF4D-B736E606B878}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhecc]

----------------------------------------------

Save this as CFScript.txt

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

Tell how things are running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Saturday, November 22, 2008 1:40 PM (GMT +1)
There are a total of 64.046 posts in 15.836 threads.
In the last 3 days there were 26 new threads and 153 reply posts. View Active Threads