New Posts  All Forums:Forum Nav:

Virus help

post #1 of 36
Thread Starter 
I saw 2 files in my temp called DAT622F.TMP and DAT622F.TMP.EXE
662.exe was connecting to 41.102.185.193 < some algerian IP

whois reports

inetnum: 41.102.0.0 - 41.102.255.255
netname: RegOran
descr: region Oran
country: DZ
admin-c: SD6-AFRINIC
tech-c: SD6-AFRINIC
status: ASSIGNED PA
mnt-by: DJAWEB-MNT
source: AFRINIC # Filtered
parent: 41.96.0.0 - 41.111.255.255

person: Security Departement
address: Alger
phone: +21321922004
fax-no: +21321922004
e-mail:
nic-hdl: SD6-AFRINIC
source: AFRINIC # Filtered

Currently running a full malware bytes scan
Will re do in safemode without internet later on

btw the .tmp was 0 bytes
and I removed the .exe with file assasin < might be a bad idea

also file properties reporded hygou corporation or something
also my opera has been acting funny since it auto updated like turbo randomly activating and weird keypresses
ive also had hygou something something has stopped working

Got a suspected rootkit
few dll files in sys32
mbam deleted
spybot came up clean
mse also came up clean

ComboFix 11-04-23.02 - Mansoor 2011/04/24 23:41:03.5.6 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.27.1033.18.3070.1992 [GMT 2:00]
Running from: c:\\users\\Mansoor\\Desktop\\av\\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\\windows\\system32\\midas.dll
D:\\Autorun.inf
E:\\Autorun.inf
F:\\Autorun.inf
H:\\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-24 21:46 . 2011-04-24 21:46--------d-----w-c:\\users\\Default\\AppData\\Local\emp
2011-04-24 21:46 . 2011-04-24 21:46--------d-----w-c:\\users\\Meep\\AppData\\Local\emp
2011-04-24 10:51 . 2011-04-24 10:51--------d-----w-c:\\users\\Mansoor\\AppData\\Roaming\\Agics
2011-04-24 10:47 . 2011-04-24 10:47--------d-----w-c:\\program files\\Agics
2011-04-23 22:31 . 2011-04-24 09:14--------d-----w-c:\\programdata\\Spybot - Search & Destroy
2011-04-23 22:31 . 2011-04-23 22:31--------d-----w-c:\\program files\\Spybot - Search & Destroy
2011-04-23 08:21 . 2011-04-11 07:047071056----a-w-c:\\programdata\\Microsoft\\Microsoft Antimalware\\Definition Updates\\{99876738-0B46-406C-9634-FF4A3C4B4CFF}\\mpengine.dll
2011-04-21 15:16 . 2011-04-21 15:51--------d-----w-c:\\programdata\\PopCap Games
2011-04-20 20:07 . 2011-04-20 20:07--------d-----w-c:\\users\\Mansoor\\AppData\\Local\\Activision
2011-04-16 20:15 . 2011-04-16 20:15--------d-----w-c:\\windows\\B9DB4C7601A446D58910F7AA6376DBAF.TMP
2011-04-16 20:15 . 2011-04-17 13:48--------d-----w-c:\\programdata\\NVIDIA
2011-04-16 20:14 . 2011-04-16 20:14--------d-----w-c:\\programdata\\NVIDIA Corporation
2011-04-16 20:13 . 2011-01-08 03:275653096----a-w-c:\\windows\\system32\
vwgf2um.dll
2011-04-16 20:13 . 2011-01-08 03:27941160----a-w-c:\\windows\\system32\
vdispco322090.dll
2011-04-16 20:13 . 2011-01-08 03:27837736----a-w-c:\\windows\\system32\
vgenco322040.dll
2011-04-16 14:53 . 2011-04-16 14:53413696----a-w-c:\\windows\\system32\\wrap_oal.dll
2011-04-16 14:53 . 2011-04-16 14:53110592----a-w-c:\\windows\\system32\\OpenAL32.dll
2011-04-16 14:53 . 2009-04-02 09:332873820------w-c:\\windows\\system32\\Sens_oal.dll
2011-04-06 17:27 . 2011-04-06 17:27--------d-----w-c:\\users\\Mansoor\\AppData\\Roaming\\Design-Lib.Com
2011-04-06 17:27 . 2011-04-06 17:27--------d-----w-c:\\program files\\Design-Lib Creations
2011-04-05 08:58 . 2011-02-21 19:09439632------w-c:\\programdata\\Microsoft\\Microsoft Antimalware\\Definition Updates\\{A7B36F7F-9DBD-406F-97C4-B9800862346A}\\gapaengine.dll
2011-04-01 19:25 . 2011-04-01 19:25--------d-----w-c:\\users\\Mansoor\\AppData\\Roaming\\Malwarebytes
2011-04-01 19:25 . 2011-04-01 19:25--------d-----w-c:\\programdata\\Malwarebytes
2011-04-01 19:25 . 2010-12-20 16:0938224----a-w-c:\\windows\\system32\\drivers\\mbamswissarmy.sys
2011-04-01 19:25 . 2011-04-01 19:25--------d-----w-c:\\program files\\Malwarebytes' Anti-Malware
2011-04-01 19:25 . 2010-12-20 16:0820952----a-w-c:\\windows\\system32\\drivers\\mbam.sys
2011-03-29 13:12 . 2010-06-02 02:5574072----a-w-c:\\windows\\system32\\XAPOFX1_5.dll
2011-03-29 13:12 . 2010-06-02 02:55527192----a-w-c:\\windows\\system32\\XAudio2_7.dll
2011-03-29 13:12 . 2010-06-02 02:55239960----a-w-c:\\windows\\system32\\xactengine3_7.dll
2011-03-29 13:12 . 2010-05-26 09:412106216----a-w-c:\\windows\\system32\\D3DCompiler_43.dll
2011-03-29 13:12 . 2010-05-26 09:411868128----a-w-c:\\windows\\system32\\d3dcsx_43.dll
2011-03-29 13:12 . 2010-05-26 09:41470880----a-w-c:\\windows\\system32\\d3dx10_43.dll
2011-03-29 13:12 . 2010-05-26 09:41248672----a-w-c:\\windows\\system32\\d3dx11_43.dll
2011-03-29 13:12 . 2010-05-26 09:411998168----a-w-c:\\windows\\system32\\D3DX9_43.dll
2011-03-29 13:08 . 2011-03-29 13:11--------d-----w-c:\\program files\\Common Files\\BioWare
2011-03-27 20:24 . 2011-03-27 20:24--------d-----w-c:\\program files\\�ãŠCƒAƒŠƒXŒÂ¶žÃ™’c
2011-03-27 15:29 . 2011-03-27 15:30--------d-----w-c:\\program files\\Common Files\\Alias Shared
2011-03-27 15:25 . 2011-03-27 15:25--------d-----w-c:\\program files\\Common Files\\Macrovision Shared
2011-03-27 15:24 . 2011-03-27 15:24--------d-----w-c:\\program files\\Common Files\\ja-JP
2011-03-27 15:24 . 2011-03-27 15:24--------d-----w-c:\\program files\\Common Files\\en-US
2011-03-27 15:24 . 2011-03-27 15:29--------d-----w-c:\\program files\\Common Files\\Autodesk Shared
2011-03-27 15:11 . 2011-03-31 14:32--------d-----w-c:\\users\\Mansoor\\AppData\\Local\\backburner
2011-03-27 11:20 . 2011-03-27 11:23--------d-----w-c:\\program files\\PDF to Word
2011-03-26 22:04 . 2011-03-26 22:04--------d-----w-c:\\program files\\ƒRƒXƒvƒŒ‹i’ƒ–º�X
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2011-04-11 07:04 . 2011-02-21 19:097071056----a-w-c:\\programdata\\Microsoft\\Microsoft Antimalware\\Definition Updates\\Backup\\mpengine.dll
2011-03-23 15:11 . 2011-03-22 20:56112----a-w-C:\\open.bat
2011-03-23 15:00 . 2011-03-23 15:0029----a-w-C:\\anti_shutdown.bat
2011-03-22 16:11 . 2011-03-22 14:40107888----a-w-c:\\windows\\system32\\CmdLineExt.dll
2011-03-22 15:03 . 2009-08-18 09:30564632----a-w-c:\\programdata\\Microsoft\\IdentityCRL\\productio n\\wlidui.dll
2011-03-22 15:03 . 2009-08-18 09:2418328----a-w-c:\\programdata\\Microsoft\\IdentityCRL\\productio n\\ppcrlconfig600.dll
2011-02-21 19:09 . 2011-03-25 12:56439632------w-c:\\programdata\\Microsoft\\Microsoft Antimalware\\Definition Updates\\NISBackup\\gapaengine.dll
2011-02-19 05:33 . 2011-03-17 16:30802304----a-w-c:\\windows\\system32\\FntCache.dll
2011-02-19 05:32 . 2011-03-17 16:301074176----a-w-c:\\windows\\system32\\DWrite.dll
2011-02-19 05:32 . 2011-03-17 16:30739840----a-w-c:\\windows\\system32\\d2d1.dll
2011-02-15 17:48 . 2003-03-18 18:14499712----a-w-c:\\windows\\system32\\msvcp71.dll
2011-02-05 07:50 . 2011-02-05 07:50218688----a-w-c:\\windows\\system32\\drivers\\dtsoftbus01.sys
2011-02-03 13:23 . 2011-02-03 13:23431672----a-w-c:\\windows\\system32\\drivers\\sptd.sys
2011-02-03 05:45 . 2011-03-17 16:29219008----a-w-c:\\windows\\system32\\drivers\\dxgmms1.sys
2009-11-19 19:08 . 2009-11-19 19:083749224----a-w-c:\\program files\\Common Files\\adlmint_libFNP.dll
2009-11-19 19:08 . 2009-11-19 19:082941288----a-w-c:\\program files\\Common Files\\adlmint.dll
2006-05-03 09:06163328--sh--r-c:\\windows\\System32\\flvDX.dll
2007-02-21 10:4731232--sh--r-c:\\windows\\System32\\msfDX.dll
2008-03-16 12:30216064--sh--r-c:\\windows\\System32\
bDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\C urrentVersion\\Run]
"Sidebar"="c:\\program files\\Windows Sidebar\\sidebar.exe" [2009-07-14 1173504]
"PowerMenu"="c:\\program files\\PowerMenu\\PowerMenu.exe" [2002-12-19 57344]
"DAEMON Tools Lite"="c:\\program files\\DAEMON Tools Lite\\DTLite.exe" [2011-01-20 1305408]
"SpybotSD TeaTimer"="c:\\program files\\Spybot - Search & Destroy\\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run]
"EvtMgr6"="c:\\program files\\Logitech\\SetPointP\\SetPoint.exe" [2010-01-27 1312848]
"P17RunE"="P17RunE.dll" [2008-03-28 14848]
"RTSS"="c:\\program files\\MSI Afterburner\\Bundle\\OSDServer\\RTSSWrapper.exe" [2010-05-28 24576]
"NUSB3MON"="c:\\program files\\NEC Electronics\\USB 3.0 Host Controller Driver\\Application\
usb3mon.exe" [2010-03-30 113296]
"vmware-tray"="f:\\program files\\VMware\\VMware Workstation\\vmware-tray.exe" [2010-05-20 129584]
"MSC"="c:\\program files\\Microsoft Security Client\\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\ currentversion\\policies\\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon\
otify\\LBTWlgn]
2010-01-29 21:1764592----a-w-c:\\program files\\Common Files\\LogiShrd\\Bluetooth\\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\drivers32]
"aux6"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\\system\\currentcontrolset\\con trol\\lsa]
Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Con trol\\SafeBoot\\Minimal\\MsMpSvc]
@="Service"
.
[HKLM\\~\\startupfolder\\C:^Users^Mansoor^AppData^R oaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerMenu.lnk]
path=c:\\users\\Mansoor\\AppData\\Roaming\\Microso ft\\Windows\\Start Menu\\Programs\\Startup\\PowerMenu.lnk
backup=c:\\windows\\pss\\PowerMenu.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\BCSSync]
2010-01-21 15:2291520----a-w-c:\\program files\\Microsoft Office\\Office14\\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\Creative Detector]
2004-12-02 16:23102400------w-c:\\program files\\Creative\\MediaSource\\Detector\\CTDetect.e xe
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\DAEMON Tools Lite]
2011-01-20 09:201305408----a-w-c:\\program files\\DAEMON Tools Lite\\DTLite.exe
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\EVGAPrecision]
2009-10-05 18:5344048----a-w-c:\\program files\\EVGA Precision\\EVGAPrecisionWrapper.exe
.
R1 MpKsl06598839;MpKsl06598839;c:\\programdata\\Micro soft\\Microsoft Antimalware\\Definition Updates\\{16E74BCA-3F1B-4436-9312-8B9DADB3833E}\\MpKsl06598839.sys [x]
R1 MpKsl2c4a4b50;MpKsl2c4a4b50;c:\\programdata\\Micro soft\\Microsoft Antimalware\\Definition Updates\\{99876738-0B46-406C-9634-FF4A3C4B4CFF}\\MpKsl2c4a4b50.sys [2011-04-24 28752]
R1 MpKsl58800ad8;MpKsl58800ad8;c:\\programdata\\Micro soft\\Microsoft Antimalware\\Definition Updates\\{6FD9176C-E81A-4184-B0FC-5303D17A9F47}\\MpKsl58800ad8.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\\windows\\Microsoft.NET\\Framewo rk\\v4.0.30319\\mscorsvw.exe [2010-03-18 130384]
R2 DCService.exe;DCService.exe;c:\\programdata\\Datac ardService\\DCService.exe [2010-05-08 229376]
R3 amdkmdag;amdkmdag;c:\\windows\\system32\\DRIVERS\\ atikmdag.sys [2010-10-27 6573568]
R3 amdkmdap;amdkmdap;c:\\windows\\system32\\DRIVERS\\ atikmpag.sys [2010-10-27 229888]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\\program files\\Common Files\\Creative Labs Shared\\Service\\AL6Licensing.exe [2010-12-29 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\\program files\\Common Files\\Creative Labs Shared\\Service\\CTAELicensing.exe [2010-12-29 79360]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\\windows\\system32\\DRIVERS\\ew_hwusbdev .sys [2010-03-20 101504]
R3 GPU-Z;GPU-Z;c:\\users\\Mansoor\\AppData\\Local\\Temp\\GPU-Z.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\\program files\\Microsoft Office\\Office14\\GROOVE.EXE [2010-01-21 30963576]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\\windows\\system32\\DRIVERS\\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\\windows\\system32\\DRIVERS\\NisDrvWFP.s ys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\\program files\\Microsoft Security Client\\Antimalware\\NisSrv.exe [2010-11-11 206360]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\\windows\\system32\\drivers\
vhda32v.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\\program files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC. EXE [2010-01-09 4640000]
R3 rspAux;rspAux;c:\\windows\\system32\\DRIVERS\
spAux32.sys [2010-11-21 19000]
R3 rt61x86;RT61 Extensible Wireless Driver;c:\\windows\\system32\\DRIVERS\
etr61.sys [2010-04-07 376160]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\\windows\\system32\\Wat\\WatAdminSvc.ex e [2011-02-05 1343400]
R4 wavxjmvk;wavxjmvk;c:\\users\\Mansoor\\AppData\\Loc al\\Temp\\DAT622F.tmp.exe [x]
S0 sptd;sptd;c:\\windows\\\\SystemRoot\\System32\\Dri vers\\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\\windows\\system32\\DRIVERS\\dtsoftbus01 .sys [2011-02-05 218688]
S1 vwififlt;Virtual WiFi Filter Driver;c:\\windows\\system32\\DRIVERS\\vwififlt.sy s [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\\windows\\system32\\atiesrxx.exe [2010-10-27 176128]
S2 AODService;AODService;c:\\program files\\AMD\\OverDrive\\AODAssist.exe [2010-04-23 136616]
S2 cpuz133;cpuz133;c:\\windows\\system32\\drivers\\cp uz133_x32.sys [2010-05-11 20072]
S2 cpuz135;cpuz135;c:\\windows\\system32\\drivers\\cp uz135_x32.sys [2010-11-09 21992]
S2 vmci;VMware vmci;c:\\windows\\system32\\Drivers\\vmci.sys [2010-05-20 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\\program files\\Common Files\\VMware\\USB\\vmware-usbarbitrator.exe [2010-05-20 539184]
S3 ALSysIO;ALSysIO;c:\\users\\Mansoor\\AppData\\Local \\Temp\\ALSysIO.sys [x]
S3 AODDriver2;AODDriver2;c:\\program files\\AMD\\OverDrive\\i386\\AODDriver2.sys [2010-04-23 36864]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\\windows\\system32\\DRIVERS\\ewusbnet. sys [2010-04-30 206336]
S3 huawei_enumerator;huawei_enumerator;c:\\windows\\s ystem32\\DRIVERS\\ew_jubusenum.sys [2010-05-22 70656]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\\windows\\system32\\DRIVERS\
usb3hub.sys [2010-02-24 60544]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\\windows\\system32\\DRIVERS\
usb3xhc.sys [2010-02-24 141568]
S3 RTCore32;RTCore32;c:\\program files\\MSI Afterburner\\RTCore32.sys [2010-08-31 12088]
S3 RTL8167;Realtek 8167 NT Driver;c:\\windows\\system32\\DRIVERS\\Rt86win7.sy s [2010-03-22 278560]
.
.
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\\program files\\Free Download Manager\\dlall.htm
IE: Download selected with Free Download Manager - file://c:\\program files\\Free Download Manager\\dlselected.htm
IE: Download video with Free Download Manager - file://c:\\program files\\Free Download Manager\\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\\program files\\Free Download Manager\\dllink.htm
IE: E&xport to Microsoft Excel - c:\\progra~1\\Microsoft Office\\Office14\\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\\progra~1\\Microsoft Office\\Office14\\ONBttnIE.dll/105
LSP: f:\\program files\\VMware\\VMware Workstation\\vsocklib.dll
TCP: {D353E6EA-3933-4850-A1C1-053065E9F025} = 41.157.83.51 41.157.83.50
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Sniper Ghost Warrior_is1 - h:\\program files\\City Interactive\\Sniper Ghost Warrior\\unins000.exe
AddRemove-{A48B9CD8-C2BA-4EC9-0081-7260D238C7CF} - h:\\program files\\EA GAMES\\Need for Speed Most Wanted\\EAUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\\S-1-5-21-3156644388-3680840346-473109720-1000\\Software\\SecuROM\\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e1,0b,5d,ae,04,88,30,95,72,c4,fb,2d,58,96 ,6d,12,26,3a,e8,c0,7a,7e,94,
32,64,57,f6,a1,4f,16,d3,a4,c6,28,cf,22,42,62,de,2d ,22,81,d6,43,8f,70,49,45,\\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1 ,2f,38
.
[HKEY_USERS\\S-1-5-21-3156644388-3680840346-473109720-1000\\Software\\SecuROM\\License information*]
"datasecu"=hex:1f,f6,95,a9,bc,63,97,4b,bf,27,cf,43 ,f1,80,a1,28,56,51,04,8a,9e,
91,d3,5f,27,fc,65,2f,76,e6,ae,f4,da,31,e9,a8,30,d8 ,f8,91,5f,07,59,f5,b4,09,\\
"rkeysecu"=hex:17,a2,6a,0a,b1,d9,f8,05,11,01,e5,50 ,3d,9d,f6,aa
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A48 3C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\\\Windows\\\\system32\\\\M acromed\\\\Flash\\\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A48 3C63A-CDBC-426E-BF93-872502E8144E}\\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A48 3C63A-CDBC-426E-BF93-872502E8144E}\\LocalServer32]
@="c:\\\\Windows\\\\system32\\\\Macromed\\\\Flash\ \\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A48 3C63A-CDBC-426E-BF93-872502E8144E}\\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\ {E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\ {E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\ {E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0000\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0001\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0002\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0003\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0004\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0005\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0006\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0007\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0008\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0009\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\PCW\\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-24 23:47:38
ComboFix-quarantined-files.txt 2011-04-24 21:47
.
Pre-Run: 10*224*742*400 bytes free
Post-Run: 10*123*841*536 bytes free
.
- - End Of File - - C8905222B6B473828E0E9D5360A0C8C9

I created the Autorun.inf on each drive
Edited by nukefission - 4/24/11 at 2:52pm
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
post #2 of 36
Go into safe mode and just delete the files
My Gaming Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5 2500K 4.7GHz [24/7] Gigabyte Z77 ATI Radeon 6950 (XFX) Corsair Vengeance 8GB 1600MHz  
Hard DriveOptical DriveCoolingOS
2x 500GB HDD's [RAID 0]  A Non-Branded DVD-DL Burner Zalman CNPSX 10 Performa Windows 7 Home Premium 64 Bit 
MonitorKeyboardPowerCase
2x iiyama Prolite E2407HDS Razer Tarantula 600W OCZ NZXT Tempest 410 Elite 
MouseMouse Pad
Logitech G500 Wooden Desk - LOL 
  hide details  
Reply
My Gaming Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5 2500K 4.7GHz [24/7] Gigabyte Z77 ATI Radeon 6950 (XFX) Corsair Vengeance 8GB 1600MHz  
Hard DriveOptical DriveCoolingOS
2x 500GB HDD's [RAID 0]  A Non-Branded DVD-DL Burner Zalman CNPSX 10 Performa Windows 7 Home Premium 64 Bit 
MonitorKeyboardPowerCase
2x iiyama Prolite E2407HDS Razer Tarantula 600W OCZ NZXT Tempest 410 Elite 
MouseMouse Pad
Logitech G500 Wooden Desk - LOL 
  hide details  
Reply
post #3 of 36
Thread Starter 
Quote:
Originally Posted by lukeibob View Post
Go into safe mode and just delete the files
already done
and they haven't come back
If they do then I`l safemode delete
but I`m still suspicious

AFRINIC is my main internet backbone btw
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
post #4 of 36
contact mweb.

www.mweb.co.za

and search a tab for reporting... they are very friendly and helpfull and can point you in the right direction.....

and then eamil the new point of cantact with all the details and the will open a police case and get those fookers in prison for a minimum of 2 years.



edit... use this email address....

technic@mweb.com

edit again:

i went throug my emails and i also found this email... the guys name is rob i think.
abuse@mweb.com

he is a great guy and can help you in the right direction.
Edited by levontraut - 4/23/11 at 4:16am
Server1 - Main
(17 items)
 
Slow Coach
(17 items)
 
 
CPUMotherboardGraphicsRAM
4790K Asus z97 Hero Gigabyte 980Ti 6gb Kingston Hyper X 2400 
Hard DriveHard DriveHard DriveCooling
M500 M500 OCZ ARC H100i 
OSMonitorMonitorMonitor
Windows 10 Enterprise  Prolite GB2488HSU Prolite GB2488HSU Prolite GB2488HSU 
KeyboardPowerCaseMouse
Razer Corsair AX860 Fractal Design R4 Razer Mamba 
Audio
Razer 
CPUMotherboardRAMHard Drive
1055T Gigabyte 990fx UD5 corsair 4 x 2 GiG 2 x 1 terabyte Western Black 
Hard DriveOptical DriveCoolingOS
3 x 500 gig WD Black Pix Fractal Design Fans x 2 Server 2012 
MonitorKeyboardPowerCase
mstsc mstsc 400 watt corsair Fractal Design R5 
MouseOtherOtherOther
mstsc EATON 5110 UPS StarView SV231UADVI KVM LSI controller card 4 port 
Other
Intel DualPort Gigabit NIC PRO1000PT 
  hide details  
Reply
Server1 - Main
(17 items)
 
Slow Coach
(17 items)
 
 
CPUMotherboardGraphicsRAM
4790K Asus z97 Hero Gigabyte 980Ti 6gb Kingston Hyper X 2400 
Hard DriveHard DriveHard DriveCooling
M500 M500 OCZ ARC H100i 
OSMonitorMonitorMonitor
Windows 10 Enterprise  Prolite GB2488HSU Prolite GB2488HSU Prolite GB2488HSU 
KeyboardPowerCaseMouse
Razer Corsair AX860 Fractal Design R4 Razer Mamba 
Audio
Razer 
CPUMotherboardRAMHard Drive
1055T Gigabyte 990fx UD5 corsair 4 x 2 GiG 2 x 1 terabyte Western Black 
Hard DriveOptical DriveCoolingOS
3 x 500 gig WD Black Pix Fractal Design Fans x 2 Server 2012 
MonitorKeyboardPowerCase
mstsc mstsc 400 watt corsair Fractal Design R5 
MouseOtherOtherOther
mstsc EATON 5110 UPS StarView SV231UADVI KVM LSI controller card 4 port 
Other
Intel DualPort Gigabit NIC PRO1000PT 
  hide details  
Reply
post #5 of 36
Quote:
Originally Posted by nukefission View Post
I saw 2 files in my temp called DAT622F.TMP and DAT622F.TMP.EXE
662.exe was connecting to 41.102.185.193 < some algerian IP

whois reports

inetnum: 41.102.0.0 - 41.102.255.255
netname: RegOran
descr: region Oran
country: DZ
admin-c: SD6-AFRINIC
tech-c: SD6-AFRINIC
status: ASSIGNED PA
mnt-by: DJAWEB-MNT
source: AFRINIC # Filtered
parent: 41.96.0.0 - 41.111.255.255

person: Security Departement
address: Alger
phone: +21321922004
fax-no: +21321922004
e-mail:
nic-hdl: SD6-AFRINIC
source: AFRINIC # Filtered

Currently running a full malware bytes scan
Will re do in safemode without internet later on

btw the .tmp was 0 bytes
and I removed the .exe with file assasin < might be a bad idea

also file properties reporded hygou corporation or something
also my opera has been acting funny since it auto updated like turbo randomly activating and weird keypresses
ive also had hygou something something has stopped working
are you from South Africa? Those mtn ip lol
Eh do not boot into safe mode until you identified the malware. It might be a file virus and doing so you'll destroy your system. Looks like you got rootkit activity coz someone is controlling it.

Please download hijacker this and run it. Give me the log file please.
post #6 of 36
Thread Starter 
Quote:
Originally Posted by levontraut View Post
contact mweb.

www.mweb.co.za

and search a tab for reporting... they are very friendly and helpfull and can point you in the right direction.....

and then eamil the new point of cantact with all the details and the will open a police case and get those fookers in prison for a minimum of 2 years.



edit... use this email address....

technic@mweb.com

edit again:

i went throug my emails and i also found this email... the guys name is rob i think.
abuse@mweb.com

he is a great guy and can help you in the right direction.
lol I`m using cell c
What to report?
Malware bytes came up as negative

Quote:
Originally Posted by Spooony View Post
are you from South Africa? Those mtn ip lol
Eh do not boot into safe mode until you identified the malware. It might be a file virus and doing so you'll destroy your system. Looks like you got rootkit activity coz someone is controlling it.

Please download hijacker this and run it. Give me the log file please.
Hijack this? ok
yeah I`m south african using my cell c 3g stick

here is log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:23:33 PM, on 2011/04/23
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\\Windows\\system32\askeng.exe
C:\\Windows\\system32\\Dwm.exe
C:\\Windows\\Explorer.EXE
C:\\Windows\\system32\askhost.exe
C:\\Program Files\\MSI Afterburner\\MSIAfterburner.exe
C:\\Program Files\\Core Temp\\Core Temp.exe
C:\\ProgramData\\DatacardService\\DCSHelper.exe
C:\\Program Files\\Cell C\\Cell C.exe
C:\\Program Files\\Logitech\\SetPointP\\SetPoint.exe
C:\\Windows\\System32\
undll32.exe
C:\\Program Files\\NEC Electronics\\USB 3.0 Host Controller Driver\\Application\
usb3mon.exe
C:\\Program Files\\MSI Afterburner\\Bundle\\OSDServer\\RTSS.exe
F:\\Program Files\\VMware\\VMware Workstation\\vmware-tray.exe
C:\\Program Files\\Microsoft Security Client\\msseces.exe
C:\\Program Files\\Windows Sidebar\\sidebar.exe
C:\\Program Files\\PowerMenu\\PowerMenu.exe
C:\\Program Files\\Common Files\\LogiShrd\\KHAL3\\KHALMNPR.EXE
C:\\Program Files\\DAEMON Tools Lite\\DTLite.exe
C:\\Program Files\\Opera\\opera.exe
C:\\Program Files\\Pidgin\\pidgin.exe
C:\\Program Files\\Skype\\Phone\\Skype.exe
C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe
C:\\Windows\\system32\\wuauclt.exe
C:\\Windows\\system32\\SearchFilterHost.exe
C:\\Users\\Mansoor\\Desktop\\HijackThis.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant =
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,CustomizeSearch =
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Local Page =
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\\Program Files\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\\PROGRA~1\\Microsoft Office\\Office14\\GROOVEEX.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\\PROGRA~1\\Microsoft Office\\Office14\\URLREDIR.DLL
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\\Program Files\\Free Download Manager\\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\\Program Files\\Java\\jre6\\bin\\jp2ssv.dll
O4 - HKLM\\..\\Run: [EvtMgr6] C:\\Program Files\\Logitech\\SetPointP\\SetPoint.exe /launchGaming
O4 - HKLM\\..\\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
O4 - HKLM\\..\\Run: [RTSS] "C:\\Program Files\\MSI Afterburner\\Bundle\\OSDServer\\RTSSWrapper.exe" /s
O4 - HKLM\\..\\Run: [NUSB3MON] "C:\\Program Files\\NEC Electronics\\USB 3.0 Host Controller Driver\\Application\
usb3mon.exe"
O4 - HKLM\\..\\Run: [vmware-tray] "F:\\Program Files\\VMware\\VMware Workstation\\vmware-tray.exe"
O4 - HKLM\\..\\Run: [MSC] "C:\\Program Files\\Microsoft Security Client\\msseces.exe" -hide -runkey
O4 - HKCU\\..\\Run: [Sidebar] C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun
O4 - HKCU\\..\\Run: [PowerMenu] C:\\Program Files\\PowerMenu\\PowerMenu.exe
O4 - HKCU\\..\\Run: [DAEMON Tools Lite] "C:\\Program Files\\DAEMON Tools Lite\\DTLite.exe" -autorun
O4 - HKUS\\S-1-5-19\\..\\Run: [Sidebar] %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\\S-1-5-19\\..\\RunOnce: [mctadmin] C:\\Windows\\System32\\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\\S-1-5-20\\..\\Run: [Sidebar] %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\\S-1-5-20\\..\\RunOnce: [mctadmin] C:\\Windows\\System32\\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\\Program Files\\Free Download Manager\\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\\Program Files\\Free Download Manager\\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\\Program Files\\Free Download Manager\\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\\Program Files\\Free Download Manager\\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\\PROGRA~1\\Microsoft Office\\Office14\\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\\PROGRA~1\\Microsoft Office\\Office14\\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\\Program Files\\Microsoft Office\\Office14\\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\\Program Files\\Microsoft Office\\Office14\\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\\Program Files\\Microsoft Office\\Office14\\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\\Program Files\\Microsoft Office\\Office14\\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\\program files\\common files\\microsoft shared\\windows live\\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\\program files\\common files\\microsoft shared\\windows live\\wlidnsp.dll
O10 - Unknown file in Winsock LSP: f:\\program files\\vmware\\vmware workstation\\vsocklib.dll
O10 - Unknown file in Winsock LSP: f:\\program files\\vmware\\vmware workstation\\vsocklib.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab...i_4.4.21.0.cab
O17 - HKLM\\System\\CCS\\Services\\Tcpip\\..\\{D353E6EA-3933-4850-A1C1-053065E9F025}: NameServer = 41.157.83.51 41.157.83.50
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\\PROGRA~1\\COMMON~1\\Skype\\Skype4COM.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\\Windows\\System32\\DreamScene.dll
O23 - Service: AMD External Events Utility - AMD - C:\\Windows\\system32\\atiesrxx.exe
O23 - Service: AODService - Unknown owner - C:\\Program Files\\AMD\\OverDrive\\AODAssist.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\\Program Files\\Common Files\\Creative Labs Shared\\Service\\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\\Program Files\\Common Files\\Creative Labs Shared\\Service\\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\\Program Files\\Creative\\Shared Files\\CTAudSvc.exe
O23 - Service: DCService.exe - Unknown owner - C:\\ProgramData\\DatacardService\\DCService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\\Program Files\\Common Files\\Macrovision Shared\\FLEXnet Publisher\\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\\Program Files\\Common Files\\LogiShrd\\Bluetooth\\lbtserv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\\Windows\\system32\
vvsvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - F:\\Program Files\\VMware\\VMware Workstation\\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - F:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\\Windows\\system32\\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\\Program Files\\Common Files\\VMware\\USB\\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\\Windows\\system32\\vmnat.exe
O23 - Service: wavxjmvk - Unknown owner - C:\\Users\\Mansoor\\AppData\\Local\\Temp\\DAT622F. tmp.exe (file missing)

--
End of file - 8768 bytes
ZOMG
rootkit str.dll found and some trojan cryptnet.dll also found :|
and another .tmp file
Currently running a full malwarebytes scan in safemode < 8 threats found (4-5 are known by me and are ok)
which will be followed by a mse full scan
=_= I scared :
What to do
Edited by nukefission - 4/23/11 at 3:11pm
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
post #7 of 36
Ok I'm busy checking your log quick. Not finished but your going to need the following applications

Autoruns and process explorer -> you can get it at filehippo.com

Lsp fix -> Cexx.org

Spybot Search and Destroy ->filehippo.com

Then please do the following for me aswell

Go to here
C:\\Program Files\\Microsoft Security Client\\msseces.exe

Upload that file to virustotal.com



http://content.systemrequirementslab...i_4.4.21.0.cab
^Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!

Do you know the IP or Domain '41.157.83.5141.157.83.50' ?

download this ->http://www.backgroundtask.eu/Software/AHC/Setup.exe

Then check md5 hash of skype.exe

I'm on Cell C too btw. Was on mtn till they blocked YF lol
Edited by Spooony - 4/23/11 at 5:31pm
post #8 of 36
Thread Starter 
already did spybot last night it came up with 1 tracking cookie which i removed
im using a different pc now btw

sysrequirements lab should be safe It was reccomended to me on ocn to see if my rig could run some games

41.157.83.5141.157.83.50 < nope and seems abit too long for an ip

busy doing whatever you told me to
Btw is running in normal windows bad? without the internet
I have dow2 craving
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
post #9 of 36
Quote:
Originally Posted by nukefission View Post
already did spybot last night it came up with 1 tracking cookie which i removed
im using a different pc now btw

sysrequirements lab should be safe It was reccomended to me on ocn to see if my rig could run some games

41.157.83.5141.157.83.50 < nope and seems abit too long for an ip

busy doing whatever you told me to
Btw is running in normal windows bad? without the internet
I have dow2 craving
You need to run Lsp fix there's to fix your winsock.

Run Lsp fix.
When your done download Combofix ->www.Combofix.org

disable your antivirus and run it.
Just post the log

Did you get Autoruns?
You need to run it then tick the "hide Microsoft and windows entries"then check "verify code
signatures"

The files shown needs to be checked out either via online scanner on a online process checker.

Then when all is done do the following

Go to cmd prompt enter the following

netsh winsock reset catalog
netsh winsock reset
netsh int ip reset resetlog.txt
netsh advfirewall reset

Reboot the computer

Remember mbam is a good application but its not good for detecting viruses or rootkits.
post #10 of 36
Thread Starter 
Quote:
Originally Posted by Spooony View Post
You need to run Lsp fix there's to fix your winsock.

Run Lsp fix.
When your done download Combofix ->www.Combofix.org

disable your antivirus and run it.
Just post the log

Did you get Autoruns?
You need to run it then tick the "hide Microsoft and windows entries"then check "verify code
signatures"

The files shown needs to be checked out either via online scanner on a online process checker.

Then when all is done do the following

Go to cmd prompt enter the following

netsh winsock reset catalog
netsh winsock reset
netsh int ip reset resetlog.txt
netsh advfirewall reset

Reboot the computer

Remember mbam is a good application but its not good for detecting viruses or rootkits.
Lsp fix says no problems found.

Autoruns hide windows doesnt do anything
But I know everything It shows
combofix seems to be stuck on stage 27 I`m still waiting

cmd thing I`l do after combofix

combofix said mse is running but I disabled the realtime protection,stopped the service and closed the exe
still 27 :
Edited by nukefission - 4/24/11 at 2:07pm
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security