Recommended for You:
Fix up your PC Fast

TuneUp Utilities 2012 takes out the trash: Get back long lost disk space and performance in a snap – Free Download!






You are not connected. Please login or register

SecuraGeek Forums » Malware/Threat Removal » win32/jeefo help

View previous topic View next topic Go down  Message [Page 1 of 1]

1 win32/jeefo help on Fri Dec 04, 2009 9:46 pm

lawlshane


New Member
nod32 reports my svchost.exe is infected with win32/jeefo. This happened a few days ago when I suspect an infected usb flash drive was put into my computer. Since then some applications like Dragon Age won't even launch, I'll just get a message prompting me to send an error report.

Anywho, here's my log. Thanks in advance for checking it out.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:57 PM, on 12/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\P1370Mon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Creative\Console Launcher\ConsoLCu.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - F:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - F:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [P1370Mon.exe] C:\WINDOWS\P1370Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Shane\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15110/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E3CEC7D-BBDE-4337-8EF5-8F99D7A7D317}: NameServer = 4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - F:\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7711 bytes

2 Re: win32/jeefo help on Fri Dec 04, 2009 9:48 pm

DragonMaster Jay


Site Owner
Site Owner
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

3 Re: win32/jeefo help on Fri Dec 04, 2009 10:07 pm

lawlshane


New Member
Thank you for the prompt reply! Here is ComboFix.txt:

ComboFix 09-12-04.02 - Shane 12/04/2009 22:00.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2949 [GMT -5:00]
Running from: c:\documents and settings\Shane\desktop\commy.exe
Command switches used :: /stepdel
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\WLSetup
c:\documents and settings\All Users\Application Data\Microsoft\WLSetup\Logs\2009-07-06_02-14_140-wqz0pxml.log
c:\documents and settings\All Users\Application Data\Microsoft\WLSetup\Logs\2009-11-09_17-58_3e0-75xtbzhu.log
c:\documents and settings\Shane\Application Data\inst.exe
c:\windows\svchost.exe
F:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-05 02:53 . 2009-12-05 02:53 187760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-05 02:39 . 2009-12-05 02:39 -------- d-----w- c:\program files\Trend Micro
2009-12-04 23:53 . 2009-12-04 23:53 -------- d-----w- c:\program files\CCleaner
2009-12-04 07:35 . 2009-12-04 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-12-03 02:43 . 2009-12-03 05:49 -------- d-----w- c:\program files\Common Files\BioWare
2009-12-03 02:20 . 2009-11-21 02:34 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-12-03 02:20 . 2009-11-21 02:34 11374592 ----a-w- c:\windows\system32\nvcompiler.dll
2009-11-30 21:45 . 2009-11-30 21:47 37634288 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource 5 Player_Organizer 5.26.02__\CMS5_PCAPP_LB_5_26_02.exe
2009-11-30 21:45 . 2009-11-30 21:45 152576 ----a-w- c:\documents and settings\Shane\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-30 21:44 . 2009-11-30 21:44 79488 ----a-w- c:\documents and settings\Shane\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-29 19:34 . 2009-11-29 19:34 -------- d-----w- c:\documents and settings\Shane\Local Settings\Application Data\Aspyr
2009-11-25 03:16 . 2009-12-03 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-25 03:06 . 2009-11-25 03:06 -------- d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP
2009-11-21 01:32 . 2009-11-21 01:32 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-11-21 01:32 . 2009-11-21 01:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-11-21 01:32 . 2009-11-21 01:32 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-11-21 01:32 . 2009-11-21 01:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 01:32 . 2009-11-21 01:32 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-21 01:32 . 2009-11-21 01:32 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-11-19 17:01 . 2009-11-19 17:01 1594541 ----a-w- c:\windows\WANEUninstaller.exe
2009-11-19 16:55 . 2009-11-19 16:55 -------- d-----w- C:\Games
2009-11-18 03:20 . 2009-11-18 03:20 -------- d-----w- c:\program files\GlobFX
2009-11-14 03:40 . 2009-11-14 03:40 -------- d-----w- c:\documents and settings\Shane\Application Data\runic games
2009-11-14 03:21 . 2009-11-14 03:21 -------- d-----w- c:\program files\Runic Games
2009-11-12 01:59 . 2009-11-12 02:00 -------- d-----w- c:\program files\DivX
2009-11-12 01:59 . 2009-11-12 01:59 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-10 06:56 . 2009-11-10 06:56 -------- d-----w- c:\windows\system32\NtmsData
2009-11-09 23:05 . 2009-11-09 23:05 -------- d-----w- c:\program files\Microsoft
2009-11-09 00:04 . 2009-11-09 00:04 -------- d-----w- c:\program files\VSTplugins
2009-11-09 00:04 . 2009-12-03 00:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-08 23:41 . 2009-11-08 23:41 -------- d-----w- c:\program files\Sony Setup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 23:51 . 2009-07-06 06:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-04 23:51 . 2009-08-08 08:35 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-12-04 23:22 . 2009-07-06 06:13 69632 ----a-w- c:\documents and settings\Shane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 07:48 . 2009-07-09 07:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-04 06:32 . 2009-07-06 06:35 -------- d-----w- c:\documents and settings\Shane\Application Data\uTorrent
2009-12-03 02:32 . 2009-07-07 07:57 -------- d-----w- c:\program files\Steam
2009-12-03 02:24 . 2009-08-22 11:57 -------- d-----w- c:\program files\NVIDIA Corporation
2009-12-02 06:13 . 2009-10-04 23:44 -------- d-----w- c:\documents and settings\Shane\Application Data\Sony
2009-12-01 04:38 . 2009-07-08 03:20 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-30 21:52 . 2009-07-06 06:32 -------- d-----w- c:\program files\Creative
2009-11-30 21:45 . 2009-07-09 01:28 -------- d-----w- c:\program files\Java
2009-11-30 21:45 . 2009-08-24 06:57 15007220 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative Live! Cam FX Creator 1.00.07__\AVFC_PCAPP_US_1_00_07.exe
2009-11-25 03:06 . 2009-07-06 06:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-21 02:34 . 2009-07-06 06:30 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34 . 2009-06-10 10:03 6282752 ----a-w- c:\windows\system32\nv4_disp.dll
2009-11-21 02:34 . 2009-06-10 10:03 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34 . 2009-06-10 10:03 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-11-21 02:34 . 2009-06-10 10:03 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34 . 2009-06-10 10:03 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34 . 2009-06-10 10:03 182888 ----a-w- c:\windows\system32\nvcodins.dll
2009-11-21 02:34 . 2009-06-10 10:03 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34 . 2009-06-10 10:03 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-11-21 02:34 . 2009-06-10 10:03 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:34 . 2009-06-10 10:03 10235968 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-20 02:42 . 2009-07-06 06:30 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-15 20:59 . 2009-07-06 08:08 -------- d-----w- c:\documents and settings\Shane\Application Data\Vso
2009-11-15 20:28 . 2009-08-03 05:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-15 20:00 . 2009-07-20 08:34 -------- d-----w- c:\program files\DVDPean Pro 5.3.6
2009-11-11 08:03 . 2009-07-08 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-09 22:53 . 2009-07-06 19:33 -------- d-----w- c:\program files\Messenger Plus! Live
2009-11-08 23:42 . 2009-07-28 02:38 -------- d-----w- c:\program files\Sony
2009-11-08 23:19 . 2009-07-06 07:09 -------- d-----w- c:\documents and settings\Shane\Application Data\Winamp
2009-11-02 04:10 . 2009-08-09 22:41 -------- d-----w- c:\program files\Cheat Engine
2009-10-29 06:47 . 2009-10-29 06:47 -------- d-----w- c:\program files\RMVB Converter
2009-10-25 19:40 . 2009-10-25 19:09 -------- d-----w- c:\program files\Electronic Arts
2009-10-25 19:38 . 2009-10-25 19:37 -------- d-----w- c:\program files\Microsoft Application Compatibility Toolkit 5
2009-10-25 19:31 . 2009-09-03 15:46 -------- d-----w- c:\program files\DOSBox-0.73
2009-10-25 19:12 . 2009-10-25 19:12 287 ----a-w- c:\windows\EReg072.dat
2009-10-18 23:31 . 2009-10-18 23:27 -------- d-----w- c:\program files\Oldgames
2009-10-18 01:49 . 2009-10-18 01:49 -------- d-----w- c:\program files\Quest Online
2009-10-16 22:14 . 2009-10-16 22:14 -------- d-----w- c:\program files\Dink Smallwood
2009-10-11 09:17 . 2009-07-09 01:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 22:26 . 2009-09-19 01:05 -------- d-----w- c:\program files\Diablo II
2009-10-10 22:13 . 2009-10-04 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-10-07 03:40 . 2009-10-07 03:40 -------- d-----w- c:\program files\directx
2009-10-07 03:40 . 2009-10-07 03:40 0 ----a-w- c:\windows\DXT3E9A.tmp
2009-10-07 03:40 . 2009-10-07 03:40 0 ----a-w- c:\windows\DXT3E99.tmp
2009-10-07 03:40 . 2009-10-07 03:40 0 ----a-w- c:\windows\DXT3E98.tmp
2009-10-07 03:40 . 2009-10-07 03:40 0 ----a-w- c:\windows\DXT3E97.tmp
2009-10-07 03:40 . 2009-10-07 03:40 0 ----a-w- c:\windows\DXT3E96.tmp
2009-10-01 20:24 . 2009-10-01 20:24 128 ----a-w- c:\documents and settings\Shane\Local Settings\Application Data\fusioncache.dat
2009-09-19 02:03 . 2009-09-19 02:03 249856 ------w- c:\windows\Setup1.exe
2009-09-19 02:03 . 2009-09-19 02:03 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-17 12:47 . 2009-09-17 12:47 152576 ----a-w- c:\documents and settings\Shane\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:18 . 2008-04-14 04:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 16:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
"Google Update"="c:\documents and settings\Shane\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-07 133104]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2009-09-09 584704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"P1370Mon.exe"="c:\windows\P1370Mon.exe" [2006-06-20 36864]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-19 20480]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2009-06-04 25600]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\shane_k\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\shane_k\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"f:\\Dragon Age\\bin_ship\\daorigins.exe"=
"f:\\Dragon Age\\DAOriginsLauncher.exe"=
"f:\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"56618:TCP"= 56618:TCP:Pando Media Booster
"56618:UDP"= 56618:UDP:Pando Media Booster
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 2:49 PM 94360]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [9/10/2009 6:29 PM 941784]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 2:47 PM 731840]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 1:46 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 1:46 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 1:46 AM 72728]
R3 P1370Vfx;P1370Vfx;c:\windows\system32\drivers\P1370Vfx.sys [7/9/2009 2:20 AM 6272]
R3 P1370VID;Live! Cam Voice;c:\windows\system32\drivers\P1370Vid.sys [7/9/2009 2:20 AM 297792]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/6/2009 3:21 AM 721904]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [7/6/2009 1:32 AM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 1:46 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 1:46 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 1:46 AM 72728]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;f:\dragon age\bin_ship\daupdatersvc.service.exe [12/2/2009 11:43 PM 25832]
S3 L6PODLV;PODxt Live Service;c:\windows\system32\Drivers\L6PODLV.sys --> c:\windows\system32\Drivers\L6PODLV.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 P1370Aud;Creative WebCam Audio Control;c:\windows\system32\drivers\P1370Aud.sys [7/9/2009 2:20 AM 93056]
S3 P1370Aul;PD1370 Lower Filter Driver;c:\windows\system32\drivers\P1370Aul.sys [7/9/2009 2:20 AM 4992]
.
Contents of the 'Scheduled Tasks' folder

2009-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1770027372-682003330-1003Core.job
- c:\documents and settings\Shane\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-07 04:32]

2009-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1770027372-682003330-1003UA.job
- c:\documents and settings\Shane\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-07 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {4E3CEC7D-BBDE-4337-8EF5-8F99D7A7D317} = 4.2.2.2
FF - ProfilePath - c:\documents and settings\Shane\Application Data\Mozilla\Firefox\Profiles\e4qhwk7y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp
FF - component: c:\documents and settings\Shane\Application Data\Mozilla\Firefox\Profiles\e4qhwk7y.default\extensions\{7378B8C2-FC38-41b8-A8C9-875D1F5B0A24}\components\NativeComponent.dll
FF - plugin: c:\documents and settings\Shane\Application Data\Mozilla\Firefox\Profiles\e4qhwk7y.default\extensions\activegs@freetoolsassociation.com\platform\WINNT_x86-msvc\plugins\npActiveGS.dll
FF - plugin: c:\documents and settings\Shane\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-vmware-tray - c:\program files\VMware\VMware Workstation\vmware-tray.exe
HKLM-Run-nwiz - nwiz.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe DisplayControlPanel
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-Steam App 215 - c:\program files\Steam\steam.exe steam://uninstall/215
AddRemove-Tweak UI 2.10 - c:\windows\system32\mshta.exe res://c:\windows\system32\TweakUI.exe/uninstall.hta



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 22:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.437.0"
"UniqueId"="09420BCF4A9624B2"
"ScannerBuild"=dword:00001329
"ScannerVersionId"=dword:00000feb
"ScannerVersion"="Open window for status."
"FixId"=dword:00000005
.
Completion time: 2009-12-04 22:04
ComboFix-quarantined-files.txt 2009-12-05 03:04

Pre-Run: 26,424,086,528 bytes free
Post-Run: 27,807,952,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5C8904458181A239C4954213A4373166

4 Re: win32/jeefo help on Sat Dec 05, 2009 12:41 am

DragonMaster Jay


Site Owner
Site Owner
Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

Ad Bot

View previous topic View next topic Back to top  Message [Page 1 of 1]

SecuraGeek Forums » Malware/Threat Removal » win32/jeefo help

Permissions in this forum:
You cannot reply to topics in this forum