system security virus - hijackthis file

View previous topic View next topic Go down

system security virus - hijackthis file

Post by sparktan on 15th July 2009, 11:15 pm

this is my hijackthis file
please help me
thank you

i ran malwarebyte's anti-malware

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:46 PM, on 7/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\StickyNotes\StickyNotes.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Park\Desktop\winlogon.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\winamp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Cognac] C:\WINDOWS\TEMP\b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Sticky Notes.lnk = C:\Program Files\StickyNotes\StickyNotes.exe
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2A2B6809-46C9-4126-BAFC-B352585BD56E} (Kiwidisk File Share Control 5) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: NVIDIA Performance Driver Service - Unknown owner - C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10584 bytes

sparktan
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-07-15
OS OS : windows xp
Points Points : 27049
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by Belahzur on 16th July 2009, 12:00 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by sparktan on 16th July 2009, 1:18 am

i ran malwarebyte's in safemode several times
with regular mode, malwarebyte freezes.

i am using another labtop right now.
i connected internet with my infected desktop, and it came back again


Malwarebytes' Anti-Malware 1.39
Database version: 2436
Windows 5.1.2600 Service Pack 2

7/15/2009 8:15:12 PM
mbam-log-2009-07-15 (20-15-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 211889
Time elapsed: 31 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15359064 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\15359064\15359064.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Park\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

sparktan
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-07-15
OS OS : windows xp
Points Points : 27049
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by sparktan on 16th July 2009, 4:43 am

this is log after i did quick scan



Windows 5.1.2600 Service Pack 2

7/15/2009 11:40:01 PM
mbam-log-2009-07-15 (23-40-01).txt

Scan type: Quick Scan
Objects scanned: 93515
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

sparktan
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-07-15
OS OS : windows xp
Points Points : 27049
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by Origin on 16th July 2009, 5:28 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by sparktan on 16th July 2009, 6:13 pm

i removed windows TEMP folder before running combofix
under windows TEMP folder, there were some random .exe files and system security wallpaper created and modified in same time.

ComboFix 09-07-14.08 - Park 6/2009 Thu 12:50.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.2046.1547 [GMT -5:00]
Running from: c:\documents and settings\Park\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 3
SED: can't read System.dump: No such file or directory
SED: can't read System.dump: No such file or directory
The syntax of the command is incorrect.

PEV Error: DesktopFile
PEV Error: DesktopFolder
PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder
PEV Error: PersonalFile
PEV Error: ProgramsFile
PEV Error: ProgramsFolder
PEV Error: StartUpFile
PEV Error: UserFile
PEV Error: UserFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\Brazil2_Evaluation_English_20090204.msi
c:\windows\system32\drivers\str.sys

.
((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-16 06:33 . 2009-07-16 06:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-16 03:23 . 2009-07-16 03:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-16 03:23 . 2009-07-16 03:23 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-16 03:23 . 2009-07-16 03:23 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-16 03:23 . 2009-07-16 03:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-16 03:23 . 2009-07-16 03:23 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-16 03:23 . 2009-07-16 05:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-07-16 03:23 . 2009-07-16 17:46 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-07-16 03:23 . 2009-07-16 03:23 -------- d-----w- c:\program files\AVG
2009-07-15 20:27 . 2009-07-15 20:27 -------- d-----w- c:\documents and settings\Park\Application Data\Malwarebytes
2009-07-15 20:27 . 2009-07-15 20:27 -------- d-----w- c:\docume~1\Park\APPLIC~1\Malwarebytes
2009-07-15 20:27 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 20:27 . 2009-07-15 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 20:27 . 2009-07-15 20:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 20:27 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 06:13 . 2009-07-01 06:13 -------- d-----w- c:\program files\Common Files\Control Panels
2009-07-01 06:11 . 2009-07-01 06:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ALM
2009-07-01 05:30 . 2009-07-01 05:30 -------- d-----w- c:\program files\Bonjour
2009-07-01 05:26 . 2009-07-01 05:26 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-22 07:50 . 2009-06-22 07:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Trymedia
2009-06-22 07:50 . 2009-06-22 09:01 -------- d-----w- c:\program files\Catan
2009-06-22 07:50 . 2009-06-22 07:50 -------- d-----w- c:\program files\BFG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 17:13 . 2008-11-27 07:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-07-10 05:50 . 2008-11-27 07:54 -------- d-----w- c:\program files\Google
2009-07-02 07:00 . 2008-11-15 17:26 122776 ----a-w- c:\documents and settings\Park\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 07:00 . 2008-11-15 17:26 122776 ----a-w- c:\docume~1\Park\LOCALS~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2009-07-01 06:16 . 2008-11-15 21:37 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-27 21:45 . 2008-11-16 00:07 -------- d-----w- c:\program files\Kiwidisk
2009-06-24 20:57 . 2008-11-15 23:23 -------- d-----w- c:\documents and settings\Park\Application Data\uTorrent
2009-06-24 20:57 . 2008-11-15 23:23 -------- d-----w- c:\docume~1\Park\APPLIC~1\uTorrent
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-04 06:57 . 2009-06-04 06:34 -------- d-----w- c:\documents and settings\Park\Application Data\Vso
2009-06-04 06:57 . 2009-06-04 06:34 -------- d-----w- c:\docume~1\Park\APPLIC~1\Vso
2009-06-04 06:33 . 2009-06-04 06:33 -------- d-----w- c:\program files\VSO
2009-06-03 19:27 . 2004-08-04 10:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 06:06 . 2009-02-07 07:31 383 ----a-w- c:\windows\system32\ZF_UP.dat
2009-06-03 06:06 . 2009-02-07 07:31 383 ----a-w- c:\windows\system32\ZF_DN.dat
2009-05-30 05:44 . 2009-05-30 05:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\CyberLink
2009-05-30 04:33 . 2009-05-30 04:33 -------- d-----w- c:\documents and settings\Park\Application Data\CyberLink
2009-05-30 04:33 . 2009-05-30 04:33 -------- d-----w- c:\docume~1\Park\APPLIC~1\CyberLink
2009-05-30 04:22 . 2009-05-30 04:22 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Dell
2009-05-30 04:21 . 2009-05-30 04:21 -------- d-----w- c:\program files\CyberLink
2009-05-30 04:21 . 2008-11-15 17:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-26 05:14 . 2009-05-19 06:46 -------- d-----w- c:\program files\Hewlett-Packard
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-03-04 03:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 21:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-15 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-13 13578240]
"D-Link Wireless G WDA-1320"="c:\program files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2007-08-29 1662976]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-18 413696]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-30 624248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-16 1948440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Park\Start Menu\Programs\Startup\
Sticky Notes.lnk - c:\program files\StickyNotes\StickyNotes.exe [2009-2-14 466944]

c:\docume~1\Park\STARTM~1\Programs\Startup\
Sticky Notes.lnk - c:\program files\StickyNotes\StickyNotes.exe [2009-2-14 466944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-16 03:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/15/2009 10:23 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/15/2009 10:23 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/15/2009 10:23 PM 298776]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 12:04 AM 65536]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [9/10/2008 3:30 AM 3653632]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [11/15/2008 12:19 PM 57376]
S2 bghsm;bghsm;\??\c:\windows\system32\drivers\kgpkptacoqiovla.sys --> c:\windows\system32\drivers\kgpkptacoqiovla.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [11/15/2008 11:26 AM 547744]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe [11/15/2008 12:19 PM 352338]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/15/2009 3:27 PM 38160]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {2A2B6809-46C9-4126-BAFC-B352585BD56E} - [You must be registered and logged in to see this link.]
DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-16 13:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3848)
geyekrnqjlxvbq.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-07-16 13:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 18:07

Pre-Run: 179,780,796,416 bytes free
Post-Run: 180,169,080,832 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
196 --- E O F --- 2009-07-16 17:03

sparktan
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-07-15
OS OS : windows xp
Points Points : 27049
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by Origin on 16th July 2009, 7:39 pm

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\docume~1\ALLUSE~1\APPLIC~1\Trymedia
c:\documents and settings\Park\Application Data\uTorrent

File::
c:\windows\system32\ZF_UP.dat
c:\windows\system32\ZF_DN.dat

Dirlook::
c:\program files\Catan
c:\program files\BFG

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Driver::
bghsm


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by sparktan on 16th July 2009, 9:27 pm

every time i reboot, malwarebyte's anti-malware picks up two files.
Trojan.TDSS \\?\globalroot\systemroot\system21\geyekrnqilxvbq.dll
one category being memory module, and other being file

when running malwarebyte in a regular windows movde, it stops when it's detecting random and unknown folders such as 'kingofporns' or such.

this is combofix log


ComboFix 09-07-14.08 - Park 6/2009 Thu 16:06.2.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.2046.1571 [GMT -5:00]
Running from: c:\documents and settings\Park\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Park\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 3
SED: can't read System.dump: No such file or directory
SED: can't read System.dump: No such file or directory
The syntax of the command is incorrect.

PEV Error: DesktopFile
PEV Error: DesktopFolder
PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder
PEV Error: PersonalFile
PEV Error: ProgramsFile
PEV Error: ProgramsFolder
PEV Error: StartUpFile
PEV Error: UserFile
PEV Error: UserFolder

((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-16 06:33 . 2009-07-16 06:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-16 03:23 . 2009-07-16 03:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-16 03:23 . 2009-07-16 03:23 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-16 03:23 . 2009-07-16 03:23 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-16 03:23 . 2009-07-16 03:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-16 03:23 . 2009-07-16 03:23 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-16 03:23 . 2009-07-16 05:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-07-16 03:23 . 2009-07-16 17:46 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-07-16 03:23 . 2009-07-16 03:23 -------- d-----w- c:\program files\AVG
2009-07-15 20:27 . 2009-07-15 20:27 -------- d-----w- c:\documents and settings\Park\Application Data\Malwarebytes
2009-07-15 20:27 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 20:27 . 2009-07-15 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 20:27 . 2009-07-15 20:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 20:27 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 06:13 . 2009-07-01 06:13 -------- d-----w- c:\program files\Common Files\Control Panels
2009-07-01 06:11 . 2009-07-01 06:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ALM
2009-07-01 05:30 . 2009-07-01 05:30 -------- d-----w- c:\program files\Bonjour
2009-07-01 05:26 . 2009-07-01 05:26 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-22 07:50 . 2009-06-22 07:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Trymedia
2009-06-22 07:50 . 2009-06-22 09:01 -------- d-----w- c:\program files\Catan
2009-06-22 07:50 . 2009-06-22 07:50 -------- d-----w- c:\program files\BFG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 18:14 . 2008-11-27 07:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-07-10 05:50 . 2008-11-27 07:54 -------- d-----w- c:\program files\Google
2009-07-02 07:00 . 2008-11-15 17:26 122776 ----a-w- c:\documents and settings\Park\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 06:16 . 2008-11-15 21:37 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-27 21:45 . 2008-11-16 00:07 -------- d-----w- c:\program files\Kiwidisk
2009-06-24 20:57 . 2008-11-15 23:23 -------- d-----w- c:\documents and settings\Park\Application Data\uTorrent
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-04 06:57 . 2009-06-04 06:34 -------- d-----w- c:\documents and settings\Park\Application Data\Vso
2009-06-04 06:33 . 2009-06-04 06:33 -------- d-----w- c:\program files\VSO
2009-06-03 19:27 . 2004-08-04 10:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 06:06 . 2009-02-07 07:31 383 ----a-w- c:\windows\system32\ZF_UP.dat
2009-06-03 06:06 . 2009-02-07 07:31 383 ----a-w- c:\windows\system32\ZF_DN.dat
2009-05-30 05:44 . 2009-05-30 05:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\CyberLink
2009-05-30 04:33 . 2009-05-30 04:33 -------- d-----w- c:\documents and settings\Park\Application Data\CyberLink
2009-05-30 04:22 . 2009-05-30 04:22 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Dell
2009-05-30 04:21 . 2009-05-30 04:21 -------- d-----w- c:\program files\CyberLink
2009-05-30 04:21 . 2008-11-15 17:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-26 05:14 . 2009-05-19 06:46 -------- d-----w- c:\program files\Hewlett-Packard
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-03-04 03:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-15 00:15 . 2009-07-16 17:43 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-15 00:15 . 2009-07-16 21:01 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-15 00:15 . 2009-07-16 17:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-15 00:15 . 2009-07-16 21:01 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-15 00:15 . 2009-07-16 21:01 196608 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-15 00:15 . 2009-07-16 17:43 196608 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 21:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-15 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-13 13578240]
"D-Link Wireless G WDA-1320"="c:\program files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2007-08-29 1662976]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-18 413696]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-30 624248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-16 1948440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Park\Start Menu\Programs\Startup\
Sticky Notes.lnk - c:\program files\StickyNotes\StickyNotes.exe [2009-2-14 466944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-16 03:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/15/2009 10:23 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/15/2009 10:23 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/15/2009 10:23 PM 298776]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 12:04 AM 65536]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [9/10/2008 3:30 AM 3653632]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [11/15/2008 12:19 PM 57376]
S2 bghsm;bghsm;\??\c:\windows\system32\drivers\kgpkptacoqiovla.sys --> c:\windows\system32\drivers\kgpkptacoqiovla.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [11/15/2008 11:26 AM 547744]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe [11/15/2008 12:19 PM 352338]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {2A2B6809-46C9-4126-BAFC-B352585BD56E} - [You must be registered and logged in to see this link.]
DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-16 16:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3336)
geyekrnqjlxvbq.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-16 16:17
ComboFix-quarantined-files.txt 2009-07-16 21:17
ComboFix2.txt 2009-07-16 18:07

Pre-Run: 180,163,387,392 bytes free
Post-Run: 180,166,111,232 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
181 --- E O F --- 2009-07-16 17:03

sparktan
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-07-15
OS OS : windows xp
Points Points : 27049
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by Origin on 16th July 2009, 9:30 pm

I see, please do the following:

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by sparktan on 16th July 2009, 9:41 pm

(1/2)

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-16 16:35:55
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

INT 0x63 ? 8A637BF8
INT 0x73 ? 8A5E7BF8
INT 0x73 ? 8A5E7BF8
INT 0x73 ? 8A5E7BF8
INT 0x83 ? 8A5E7BF8
INT 0x94 ? 8A5E7BF8
INT 0xA4 ? 8A5E7BF8
INT 0xB4 ? 8A5E7BF8

Code 89A4A8E8 ZwEnumerateKey
Code 898221B0 ZwFlushInstructionCache
Code 89A4A4C6 ZwSaveKey
Code 89A4A6D6 ZwSaveKeyEx
Code 89A4A0AE IofCallDriver
Code 89786836 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A0 5 Bytes JMP 89A4A0B3
.text ntkrnlpa.exe!IofCompleteRequest 804EF230 5 Bytes JMP 8978683B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5642 5 Bytes JMP 898221B4
PAGE ntkrnlpa.exe!ZwSaveKey 80620A4A 5 Bytes JMP 89A4A4CA
PAGE ntkrnlpa.exe!ZwSaveKeyEx 80620ADA 5 Bytes JMP 89A4A6DA
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622DE0 5 Bytes JMP 89A4A8EC
? spbk.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B8A3E62C 5 Bytes JMP 8A5E71D8
? C:\DOCUME~1\Park\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[224] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0076000A
.text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[444] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\nvsvc32.exe[584] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003E000A
.text C:\WINDOWS\system32\svchost.exe[636] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 007A000A
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[816] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003E000A
.text ...

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5E61F8
Device \FileSystem\Fastfat \FatCdrom 899B1500

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 89ACF1F8
Device \Driver\usbuhci \Device\USBPDO-1 89ACF1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5E81F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5E81F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5E81F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5E81F8
Device \Driver\usbuhci \Device\USBPDO-2 89ACF1F8
Device \Driver\PCI_PNP4598 \Device\00000046 spbk.sys
Device \Driver\usbehci \Device\USBPDO-3 89AAD1F8
Device \Driver\usbuhci \Device\USBPDO-4 89ACF1F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 89ACF1F8
Device \Driver\usbuhci \Device\USBPDO-6 89ACF1F8
Device \Driver\usbehci \Device\USBPDO-7 89AAD1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6381F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6381F8
Device \Driver\USBSTOR \Device\00000075 898EA1F8
Device \Driver\USBSTOR \Device\00000076 898EA1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89B452F0
Device \Driver\NetBT \Device\NetbiosSmb 89B452F0
Device \Driver\NetBT \Device\NetBT_Tcpip_{E40D64D2-C00C-498A-B701-2B09D287F40A} 89B452F0
Device \Driver\sptd \Device\2094787098 spbk.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 89ACF1F8
Device \Driver\usbuhci \Device\USBFDO-1 89ACF1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 899ED1F8
Device \Driver\usbuhci \Device\USBFDO-2 89ACF1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 899ED1F8
Device \Driver\usbehci \Device\USBFDO-3 89AAD1F8
Device \Driver\usbuhci \Device\USBFDO-4 89ACF1F8
Device \Driver\Ftdisk \Device\FtControl 8A6381F8
Device \Driver\usbuhci \Device\USBFDO-5 89ACF1F8
Device \Driver\usbuhci \Device\USBFDO-6 89ACF1F8
Device \Driver\usbehci \Device\USBFDO-7 89AAD1F8
Device \Driver\a1g6927y \Device\Scsi\a1g6927y1Port1Path0Target0Lun0 89A513A8
Device \Driver\a1g6927y \Device\Scsi\a1g6927y1 89A513A8
Device \FileSystem\Fastfat \Fat 899B1500

AttachedDevice \FileSystem\Fastfat \Fat

sparktan
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-07-15
OS OS : windows xp
Points Points : 27049
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by sparktan on 16th July 2009, 9:41 pm

(2/2)

Device \FileSystem\Cdfs \Cdfs 893D11F8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgrsx.exe [224] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgnsx.exe [228] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [316] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [444] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [584] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [636] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [816] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [916] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [964] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [976] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1252] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1300] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1344] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1452] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1568] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1760] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1840] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [1900] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [1940] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1956] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe [2368] 0x00EA0000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [2380] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2392] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\Core\smax4pnp.exe [2412] 0x00C70000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2452] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2480] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgtray.exe [2504] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2548] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\DAEMON Tools Lite\daemon.exe [2564] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2572] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [2580] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Program Files\StickyNotes\StickyNotes.exe [2740] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\Documents and Settings\Park\Desktop\vm1s048e.exe [3164] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3336] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnqjlxvbq.dll (*** hidden *** ) @ C:\WINDOWS\system32\conime.exe [3496] 0x10000000

---- EOF - GMER 1.0.15 ----

sparktan
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-07-15
OS OS : windows xp
Points Points : 27049
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security virus - hijackthis file

Post by Origin on 17th July 2009, 5:13 pm

Hello, ComboFix did not run properly, did you disable your Anti virus as stated? We will have to do the scan in safe mode it seems:

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

Once in safe mode with networking, run ComboFix with the instructions I gave you above.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum