rond.starsdoor.com victim, please help...

P

pjpocket

New Member
I'm having a serious problem with rond.starsdoor.com popups as they are starting to take over my pc... I left my pc on downloading a couple of torrents while I went out for a jog and came back with a dozen popups and even shortcuts to partypoker on my desktop... I have no idea how to go about getting rid of it all but have gathered that I need a Hijackthis log and a Combofix log so Im posting them below... any help would be greatly appreciated...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:27:57, on 02/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1000140.exe
C:\Program Files\Movie Maker\mezeq77798.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RioSoft\RioDVD Region Free Player\DMon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\lfntytud.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\kvsiaaxh.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\17PHolmes1000140.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lse.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: run=,
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000140.exe 61A847B5BBF72813329B385776F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [mezeq] C:\Program Files\Movie Maker\mezeq77798.exe
O4 - HKLM\..\Run: [515bcf3e] rundll32.exe "C:\WINDOWS\system32\nebriluc.dll",b
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DiscMonitor] C:\Program Files\RioSoft\RioDVD Region Free Player\DMon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\lfntytud.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Gutshot Poker - {70FF3DD2-AC81-43f2-AF80-979E2B789C4A} - C:\Microgaming\Poker\GutshotMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/PreQual/files/MotivePreQual.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c001B7B1.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\kvsiaaxh.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtemejocic.html

--
End of file - 11153 bytes
 
ComboFix 07-12-02.5 - Administrator 2007-12-02 5:42:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.423 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Log\2007 Dec 01 - 03_04_57 PM_301.log
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Log\2007 Dec 01 - 03_05_03 PM_660.log
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\rs.dat
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\CustomScan.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\IgnoreList.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\ScanInfo.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\ScanResults.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\SelectedFolders.stg
C:\Documents and Settings\Administrator\Application Data\AntiSpywareBot\Settings\Settings.stg
C:\Documents and Settings\Administrator\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Administrator\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\merobeh24418.dll
C:\Program Files\Common Files\merobeh4444.dll
C:\Program Files\Common Files\merobeh83122.dll
C:\Program Files\inetget2
C:\Program Files\inetget2\emg.exe
C:\Program Files\MSN Gaming Zone\qudatujyd.dll
C:\Program Files\MSN Gaming Zone\qudatujyd188.dll
C:\Program Files\MSN Gaming Zone\qudatujyd223.dll
C:\Program Files\MSN Gaming Zone\qudatujyd3.dll
C:\Program Files\MSN Gaming Zone\qudatujyd30.dll
C:\Program Files\MSN Gaming Zone\qudatujyd487.dll
C:\Program Files\MSN Gaming Zone\rtemejocic.html
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\WINDOWS\83122.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\csrss.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\IA
C:\WINDOWS\IA\\asappsrv.dll
C:\WINDOWS\IA\\command.exe
C:\WINDOWS\IA\\KE.vbs
C:\WINDOWS\IA\asappsrv.dll
C:\WINDOWS\IA\command.exe
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1000140.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\__c001B7B1.dat
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\bsoodpwa.exe
C:\WINDOWS\system32\culirben.ini
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\ecwwyxbg.dll
C:\WINDOWS\system32\fahmffqc.dll
C:\WINDOWS\system32\j3
C:\WINDOWS\system32\j3\ejup83122.exe
C:\WINDOWS\system32\jkkklmj.dll
C:\WINDOWS\system32\kvsiaaxh.exe
C:\WINDOWS\system32\lshfbamo.dll
C:\WINDOWS\system32\nebriluc.dll
C:\WINDOWS\system32\ocrovmvj.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pepckocw.dll
C:\WINDOWS\system32\qagprorx.exe
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\r2\baslook11.exe
C:\WINDOWS\system32\rMa18yy
C:\WINDOWS\system32\rMa18yy\rMa18yy2328.exe
C:\WINDOWS\system32\ttuvw.bak1
C:\WINDOWS\system32\ttuvw.bak2
C:\WINDOWS\system32\ttuvw.ini
C:\WINDOWS\system32\ttuvw.ini2
C:\WINDOWS\system32\tuvwvtq.dll
C:\WINDOWS\system32\u5
C:\WINDOWS\system32\u5\banedll2.exe
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wvutt.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\x.dat
C:\z.dat
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 02:50 . 2007-12-02 02:50 37,376 --a------ C:\WINDOWS\system32\iifebcc.dll
2007-12-01 15:17 . 2007-12-01 15:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-01 15:17 . 2007-12-01 15:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-12-01 10:52 . 2007-12-01 10:52 37,376 --a------ C:\WINDOWS\system32\byxwtur.dll
2007-11-30 01:51 . 2007-11-30 01:51 37,376 --a------ C:\WINDOWS\system32\mljjkll.dll
2007-11-30 01:51 . 2007-12-01 10:52 35,840 --a------ C:\WINDOWS\mrofinu1000140.exe.tmp
2007-11-28 17:00 . 2007-11-28 17:00 37,376 --a------ C:\WINDOWS\system32\wvuvwxv.dll
2007-11-27 11:46 . 2007-11-27 11:46 15,086 --a------ C:\WINDOWS\system32\FreePokerBonus.ico
2007-11-27 10:32 . 2004-04-22 00:51 848,321 --a------ C:\WINDOWS\airlock-wall.jpg
2007-11-27 10:30 . 2007-11-27 10:30 <DIR> d-------- C:\Program Files\CursorXP
2007-11-27 10:20 . 2007-11-27 10:20 0 --a------ C:\WINDOWS\WB.ini
2007-11-27 10:17 . 2007-07-11 14:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2007-11-27 08:52 . 2007-11-27 08:52 <DIR> d-------- C:\Program Files\Stardock
2007-11-27 08:52 . 2007-11-27 10:36 <DIR> d-------- C:\Program Files\Common Files\stardock
2007-11-26 07:21 . 2007-11-26 07:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 23:42 . 2007-11-25 23:42 <DIR> d-------- C:\Microgaming
2007-11-25 18:07 . 2007-11-27 07:52 45 --a------ C:\TEST.XML
2007-11-25 12:18 . 2007-11-25 12:18 <DIR> d-------- C:\Program Files\themexp
2007-11-25 11:18 . 2007-11-25 11:18 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-25 11:15 . 2007-11-25 11:15 40,960 --a------ C:\Documents and Settings\Administrator\f.exe
2007-11-25 11:15 . 2007-11-25 11:15 12,765 --a------ C:\Documents and Settings\Administrator\x.dat
2007-11-25 11:15 . 2007-11-25 11:15 120 --a------ C:\n.bat
2007-11-25 11:14 . 2007-12-02 06:06 <DIR> d-------- C:\Temp
2007-11-25 11:14 . 2007-11-25 11:14 0 --a------ C:\Documents and Settings\Administrator\z.dat
2007-11-25 11:13 . 2007-12-02 02:48 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-11-25 11:04 . 2007-11-19 17:36 211 -rahs---- C:\BOOT.BKK
2007-11-25 10:44 . 2007-11-25 10:44 <DIR> d-------- C:\Program Files\TGTSoft
2007-11-19 17:32 . 2007-11-19 17:32 557,056 --a------ C:\Documents and Settings\Administrator\GoToAssist_phone__319_en.exe
2007-11-18 05:16 . 2007-11-18 05:30 <DIR> d-------- C:\Program Files\VirtualDub
2007-11-18 05:07 . 2007-11-18 05:07 84 --a------ C:\WINDOWS\netdet.ini
2007-11-18 05:05 . 2007-11-18 05:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\shctxex.vb
2007-11-18 05:05 . 2002-01-05 15:48 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-11-18 05:05 . 1998-06-17 00:00 516,173 --a------ C:\WINDOWS\system32\msvcp60d.dll
2007-11-18 05:05 . 1998-06-17 00:00 385,100 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-11-18 05:05 . 2007-03-24 20:19 69,632 --a------ C:\WINDOWS\system32\vzcontextmenu.dll
2007-11-18 05:05 . 2003-12-22 08:20 4,608 --a------ C:\WINDOWS\system32\W95INF32.DLL
2007-11-18 05:05 . 2003-12-22 08:20 2,272 --a------ C:\WINDOWS\system32\W95INF16.DLL
2007-11-18 05:05 . 2003-12-22 08:20 1,069 --a------ C:\WINDOWS\system32\vbrun60.inf
2007-11-14 06:28 . 2007-11-14 06:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Citrix
2007-11-14 06:27 . 2007-11-14 06:27 61,480 --a------ C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2007-11-11 00:00 . 2007-11-11 00:42 121,142 --a------ C:\PokerStars.log.0
2007-11-06 23:11 . 2007-11-06 23:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nokia Multimedia Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 22:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Microgaming
2007-11-27 18:26 --------- d-----w C:\Program Files\Yahoo!
2007-11-27 18:26 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2007-11-27 18:19 --------- d-----w C:\Program Files\Accessdiver
2007-11-27 11:31 10 ----a-w C:\Program Files\.autoreg
2007-11-27 07:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2007-11-25 19:07 --------- d-----w C:\Program Files\LimeWire
2007-11-24 22:59 --------- d-----w C:\Program Files\PokerStars
2007-11-24 11:16 --------- d-----w C:\Program Files\BitTorrent
2007-11-16 04:45 --------- d-----w C:\Program Files\AVI MPEG RM WMV Joiner
2007-11-12 22:32 --------- d-----w C:\Program Files\Poker Wingman
2007-10-27 15:23 --------- d-----w C:\Program Files\TVUPlayer
2007-10-27 13:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TVU Networks
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-22 00:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\FileZilla
2007-10-21 01:09 --------- d-----w C:\Program Files\TVAnts
2007-10-20 01:10 --------- d-----w C:\Program Files\PartyGaming
2007-10-19 23:44 4 --sh--r C:\WINOS.SYS
2007-10-19 15:40 --------- d-----w C:\Program Files\GutshotMPP
2007-10-19 05:36 --------- d-----w C:\Program Files\iTunes
2007-10-18 17:54 --------- d-----w C:\Program Files\QuickTime
2007-10-18 17:21 --------- d-----w C:\Program Files\iPod
2007-10-17 16:58 --------- d-----w C:\Program Files\Apple Software Update
2007-10-14 13:15 --------- d-----w C:\Program Files\Mp3TagToolsv12
2007-10-11 12:15 --------- d-----w C:\Program Files\Java
2005-03-31 22:17 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe
2005-03-10 14:45 265,984 -c--a-w C:\WINDOWS\inf\WG511v2\WG511v2XP.sys
2005-03-10 14:45 265,856 -c--a-w C:\WINDOWS\inf\WG511v2\WG511v2.sys
2004-08-05 16:06 212,992 -c--a-w C:\WINDOWS\inf\WG511v2\CopyWHQLDriver.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-12-01 10:52 37376 --a------ C:\WINDOWS\system32\byxwtur.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2002-12-19 19:31]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"DiscMonitor"="C:\Program Files\RioSoft\RioDVD Region Free Player\DMon.exe" [2004-07-27 16:06]
"eyeBeam SIP Client"="" []
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 10:06]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EABSERVR.exe" [2002-11-12 19:39]
"hkss"="C:\Program Files\Compaq\Hotkey Software\hkss.exe" [2002-09-19 22:30]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 21:34]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-01-03 13:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-01-03 13:11]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2002-12-07 00:10]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 11:18 C:\WINDOWS\AGRSMMSG.exe]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-06-10 14:20]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-30 03:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"LWBMOUSE"="C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 12:54]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2005-06-24 18:33]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 10:27]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"mezeq"="C:\Program Files\Movie Maker\mezeq77798.exe" [2007-08-07 20:30]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 14:15]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\WINDOWS\system32\byxwtur.dll [2007-12-01 10:52 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwtur]
byxwtur.dll 2007-12-01 10:52 37376 C:\WINDOWS\system32\byxwtur.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-11-02 11:47 120056 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG511v2 Wireless Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG511v2 Wireless Assistant.lnk
backup=C:\WINDOWS\pss\NETGEAR WG511v2 Wireless Assistant.lnkCommon Startup

R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys
R3 W8335XP;NETGEAR WG511v2 54 Mbps Wireless PC Card for Windows XP (8335);C:\WINDOWS\system32\DRIVERS\WG511v2XP.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{155a32b0-d599-11db-bca9-000fb5ff6f20}]
\Shell\AutoRun\command - D:\CTRun\Start.EXE

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 06:37:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?8?3?6??????? ??#B?????????????l|B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 6:41:40 - machine was rebooted
.
--- E O F ---
 
I have some bad news for you. One of the infections present on your system is a keylogger, designed to steal your passwords. I highly recommend that from a clean, uninfected system you immediately change all the passwords on any systems you access from this system. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.

In particular, please locate the following files:
C:\Documents and Settings\Administrator\x.dat
C:\qoobox\Quarantine\C\x.dat
C:\qoobox\Quarantine\C\z.dat

Please examine the contents of each of these files in Notepad - any passwords listed there are compromised and must be changed immediately.

Please read this for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?.

I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world. Please download and install one of the following antivirus programs, and allow it to do a full scan: AVG, AntiVir or avast!.

Once done, please post an updated HijackThis log.
 
I know this seems really simple-minded but would formatting and reinstalling windows make a difference? wouldn't that be easier?
 
That would certainly fix it, and certainly wouldn't be a bad idea given the severity of these infections. As for whether it's easier, that really depends on how much data you have to backup, programs to reinstall ,etc.... Formatting will erase everything on the drive, so you will need to first backup any important data and reinstall all your programs once you've formatted.

If you choose to reformat, I strongly recommend you install one of the above antivirus programs immediately after reinstalling Windows, and use it to scan your backups.

Please also keep in mind my warning about your passwords - those passwords are compromised and will need to be changed regardless of whether you choose to format.
 
ive been wanting to format and start fresh for some time so i guess this is as good a time as any... most files i won't be backing up other than school stuff maybe some photos and things so that shouldn't be too hard... the only problem will be reinstalling some of the software i have on right now like Nero, PowerDVD etc because i don't have the CDs for them anymore but I'm sure i'll find something... as for the passwords that have been compromised i should be able to safely change them from this machine after the format right? i managed to change a couple of them at uni today but i was wondering if i could do the rest tonight after im done putting windows back on... once again thanks for all the help... as for an antivirus a friend get me one called NOD i think... he claims its pretty good, what do you think?
 
Yes, once you've formatted it will be safe to use that machine to change the passwords.

NOD32 is a very good antivirus program - I use it myself.
 
Good to hear... should be getting NOD32 tomorrow... :) I have now flattened/formatted and made the mistake of installing Vista on it... Now my videos don't seem to work too well (i don't think my graphics card has a Vista compatible driver) but other than that everything is looking much 'cleaner'...

Thanks a bundle for your help mate... Much appreciated...
 
tried that but unfortunately i can't even find XP drivers for my video/graphics card on the ATI site, let alone Vista ones... probably due to the fact that this is a relatively low spec laptop and the graphics card is pretty crap...
 
Whoever makes your laptop (IE dell, acer, hp) should have the drivers you need listed on their website as well.
 
Already checked that but the drivers they have are outdated and vista suggests stciking with the generic ones it provides as they'd work out better than the XP versions... i gave it a try but no ifference so i stuck with the vista ones...
 
im assuming that its a driver problem because i have the same problem with my sound card... nothing sounds quite right, almost like things are 'drowning'... im using a HP NC4010, soundMAX integrated soung card, Radeon IGP 350M video card...
 
With regards to your sound problem, try going into the SoundMAX Control Panel, and changing the settings in there, particularly the Environmental Model.
 
You could try a generic SoundMAX driver for Vista, perhaps one made for another laptop, but it seems apparent that the laptop is not designed for Vista. Short of reinstalling XP, there may not be a straightforward solution.
 
i kinda figured as much... the good news is that overall its running smoother, must have had a whole load of random stuff slowing me down before i went for the hard format... i figure this should last me till the end of january when i hope to pick up a new laptop on one of my uni's student deals... thanks a bundle for all your help mate, its much appreciated...
 
You must log in or register to reply here.
Back
Top