Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware problem.... [RESOLVED]

Started by kkqwel , Nov 07 2007 02:49 PM

  • This topic is locked This topic is locked

#1
kkqwel
Posted 07 November 2007 - 02:49 PM

kkqwel

    Member

  • Member
  • PipPip
  • 27 posts
OK just noticed that my system seems to be infected with some Malware that continously redirects me to random internet sites every minute or so ans also slows down and sometimes even locks up Explorer

I followed the instructions in the "Read before posting Guide" I was able to complete the Panda Scan it found some issues but did not help my problem

I ran Spybot and it found Virtumonde, 2Search and Grok Loader, It seemed to able remove all but the Virtumonde . I then ran a program called VirtumundoBeGone and seems to have removed it.

However I still have the same problem after removing these malware items.

Here is the HJT log that I got.

C:\WINDOWS\explorer.exe
C:\Documents and Settings\Karl\My Documents\Patches\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {183807B8-BC07-48A2-8DAD-ABC96FA6C7A8} - C:\WINDOWS\system32\khffcyx.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SysApp - {4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D} - C:\Program Files\ApplePie\ie-improver.dll
O2 - BHO: (no name) - {6C85FE1A-4AC6-4E73-8FAB-3E855DC5784F} - C:\WINDOWS\system32\jkkjj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E00E68A3-E775-4BE4-8521-42C77422B58B} - C:\WINDOWS\system32\jkkjj.dll
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [typeteller] C:\Documents and Settings\Karl\My Documents\Patches\typeteller2006_0145_setup\TypeTeller 2006\typeteller.exe
O4 - HKLM\..\Run: [bdmreg] C:\WINDOWS\system32\bdmreg.exe
O4 - HKLM\..\Run: [adsnwm] C:\WINDOWS\system32\adsnwm.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188475865671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188475840046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://D:\Resources\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: khffcyx - C:\WINDOWS\SYSTEM32\khffcyx.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Greyware Registry Rearguard - Greyware Automation Products, Inc. - c:\windows\system32\grr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9704 bytes



Here is the Panda log that was generated

Incident Status Location

Virus:Generic Malware Disinfected Operating system
Adware:adware/keenvalue Not disinfected c:\windows\system32\drivers\etc\hosts.bho
Adware:adware/cws Not disinfected C:\Documents and Settings\Karl\Favorites\Health
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Karl\Application Data\Registry Cleaner
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Karl\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Karl\Cookies\karl@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Karl\Cookies\karl@azjmp[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Karl\Cookies\karl@clickbank[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Karl\Cookies\karl@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Karl\Cookies\karl@fastclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Karl\Cookies\karl@overture[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karl\Cookies\karl@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Karl\Cookies\karl@tribalfusion[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Karl\Local Settings\Temp\nsd5.tmp
Virus:Generic Malware Disinfected C:\Documents and Settings\Karl\My Documents\Patches\typeteller2006_0145_setup.zip[TypeTeller 2006/typeteller.exe]

Edited by kkqwel, 07 November 2007 - 07:21 PM.

  • 0

Advertisements

#2
miekiemoes
Posted 08 November 2007 - 08:52 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

The infection is still active here though..

Your HijackThislog is also incomplete - I am missing the top part, so make sure that you post the complete logs in your next reply.
Also, your version of HijackThis is outdated. You are still using the beta version, so please update your version.
Download Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

Then, * Download ComboFix from here.
**Save it to your desktop**

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

* Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
  • 0

#3
kkqwel
Posted 08 November 2007 - 02:08 PM

kkqwel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi,

yes I am still infected and here are the files you requested after running the requested scans.

Thanks


ComboFix 07-11-08.1 - Karl 2007-11-08 14:34:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.535 [GMT -5:00]
Running from: C:\Documents and Settings\Karl\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Karl\Application Data\inst.exe
C:\Documents and Settings\Karl\Application Data\macromedia\Flash Player\#SharedObjects\9WRPULN7\iforex.com
C:\Documents and Settings\Karl\Application Data\macromedia\Flash Player\#SharedObjects\9WRPULN7\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Karl\Application Data\macromedia\Flash Player\#SharedObjects\9WRPULN7\www.broadcaster.com
C:\Documents and Settings\Karl\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Karl\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Karl\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Karl\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\winupdates
C:\WINDOWS\Casino.ico
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\khffcyx(2).dll
C:\WINDOWS\system32\khffcyx.dll
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\sysdl132.exe
C:\WINDOWS\system32\system
C:\WINDOWS\system32\system\mcafeepf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-08 14:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 14:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 22:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-07 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-07 14:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-07 14:31 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\Uniblue
2007-11-07 14:22 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\Microsoft Web Folders
2007-11-07 10:15 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\OfficeUpdate12
2007-11-07 09:27 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-11-07 00:35 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-05 11:48 <DIR> d--h----- C:\Program Files\ApplePie
2007-11-05 11:48 32,256 --a------ C:\WINDOWS\system32\khffcyx.dll.vir
2007-10-27 01:07 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 05:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 21:51 --------- d-----w C:\Program Files\MSN Messenger
2007-11-07 19:22 --------- d-----w C:\Program Files\Google
2007-11-07 13:55 --------- d-----w C:\Program Files\Java
2007-10-27 16:36 --------- d-----w C:\Program Files\EA GAMES
2007-10-09 15:12 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-10-08 22:23 --------- d-----w C:\Program Files\Kodak
2007-10-02 16:08 --------- d-----w C:\Documents and Settings\Karl\Application Data\dvdcss
2007-10-02 00:17 --------- d-----w C:\Documents and Settings\Annie\Application Data\DivX
2007-10-01 18:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-01 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\DFX
2007-10-01 02:04 --------- d-----w C:\Program Files\LimeWire
2007-09-30 01:53 --------- d-sh--r C:\Program Files\MSNCS
2007-09-29 10:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-25 20:07 --------- d-sh--r C:\Program Files\SCPP
2007-09-25 20:03 --------- d-----w C:\Program Files\Messenger Detect
2007-09-25 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Detect
2007-09-22 18:42 --------- d-----w C:\Program Files\DivX
2007-05-17 17:11 47,360 ----a-w C:\Documents and Settings\Karl\Application Data\pcouffin.sys
2007-04-29 17:25 87,608 ----a-w C:\Documents and Settings\Karl\Application Data\ezpinst.exe
2004-10-01 19:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D}]
2007-11-05 11:48 95232 --a------ C:\Program Files\ApplePie\ie-improver.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-06-20 16:16]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 14:49]
"adsnwm"="C:\WINDOWS\system32\adsnwm.exe" [2007-04-04 22:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-05 16:21]
"bdmreg"="C:\WINDOWS\system32\bdmreg.exe" [2007-08-21 19:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-26 13:10:45]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-03-05 19:42:40]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-12-24 14:15:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=0 (0x0)
"DisableChangePassword"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak Picture Transfer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak Picture Transfer.lnk
backup=C:\WINDOWS\pss\Kodak Picture Transfer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{614a7558-092e-11dc-9308-0048541f6c7a}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 14:43:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 14:46:06 - machine was rebooted
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:34 PM, on 08/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\grr.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSNCS\data\dpnsvrm.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\MSNCS\data\vssvcm.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bdmreg] C:\WINDOWS\system32\bdmreg.exe
O4 - HKLM\..\Run: [adsnwm] C:\WINDOWS\system32\adsnwm.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky....an_unicode.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama....eInstaller.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo....toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi....?1188475865671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi....?1188475840046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft....ree/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://D:\Resources\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m....sh/swflash.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Greyware Registry Rearguard - Greyware Automation Products, Inc. - c:\windows\system32\grr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8462 bytes
  • 0

#4
miekiemoes
Posted 08 November 2007 - 02:32 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Your HijackThislog doesn't make sense because you scanned with HijackThis before you scanned with Combofix. You were supposed to rescan with HijackThis after the step with Combofix.

Are you aware that there's a MSN Spy program installed on your system? Did you install it? It's important you answer this in your next reply before we start with removal.
Also, do next please..

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
  • 0

#5
kkqwel
Posted 08 November 2007 - 02:51 PM

kkqwel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi,

As requested here are the scans. Also yes I am aware about the MSN spyware and yes I installed it awhile ago and use it often. I have never had any issues in the past with it ?

Not sure if this has any bearing but the one web site that comes up frequently when I am being hijacked is www.popundersupply.com


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:30 PM, on 08/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\grr.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSNCS\data\dpnsvrm.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\MSNCS\data\vssvcm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SysApp - {4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D} - C:\Program Files\ApplePie\ie-improver.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [adsnwm] C:\WINDOWS\system32\adsnwm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bdmreg] C:\WINDOWS\system32\bdmreg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188475865671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188475840046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://D:\Resources\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Greyware Registry Rearguard - Greyware Automation Products, Inc. - c:\windows\system32\grr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8775 bytes




ivx D4 4.5.1 (remove only)
7-Zip 4.42
Adobe Acrobat 5.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS
Adobe Reader 8.1.1
Antidote RX v3
Apple Software Update
ArcSoft Camera Suite
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.1.0.1
AVI to VCD SVCD DVD Converter 5.7
Battlefield 2™
BitDefender Antivirus v10
Browser Hijack Blaster v1.0
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon PowerShot A40 WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.2
Canon Utilities ZoomBrowser EX
DAO
Dimage Scan Dual for Windows Ver.2.0.0E
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Dr. Hardware 2004 5.0.1e
DVD Decrypter (Remove Only)
DVD Region+CSS Free 5.9.1.0
DVD Shrink 3.2
EPSON Printer Software
FileAlyzer 1.1h
FlowAccess
Google Earth
Greyware Registry Rearguard
Half-Life® 2
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HydraVision
HyperLoad
Intel® Active Monitor
InterVideo DeviceService
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
LG ODD Auto Firmware Update
LimeWire 4.14.10
Logitech Gaming Software
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Picture It! 99
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Morrowind
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero OEM
Nikon Message Center
NTI CD-Maker 2000 Professional
O&O Defrag Professional Edition
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Panda ActiveScan
Pervasive System Analyzer
Pervasive.SQL V8 Workgroup (v8.5)
PictureProject
QuickTime
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Rhapsody Player Engine
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0001]
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Smart Analyzer Vision
SonicStage 3.0
Sony Media Manager 2.2
Sony USB Driver
Spark Analyzer MX
Spark Analyzer Vision
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy 1.4
Steam™
summer2005C Screen Saver
TRIBES Demo
Ulead VideoStudio 11
Unlocker 1.8.5
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.6b
Viewpoint Manager (Remove Only)
Windows Communication Foundation
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WMPTagSupportExtender
WordBiz version 1.7
XviD MPEG-4 Video Codec
  • 0

#6
miekiemoes
Posted 08 November 2007 - 03:06 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Also yes I am aware about the MSN spyware and yes I installed it awhile ago and use it often. I have never had any issues in the past with it ?

So I assume you want to keep it? This program spies on your Messenger conversations etc.. and that's why many scanners may also flag and delete the related files.
In your case, we'll have to leave next files alone since they are related and you want to keep it:

O4 - HKLM\..\Run: [adsnwm] C:\WINDOWS\system32\adsnwm.exe
O4 - HKLM\..\Run: [bdmreg] C:\WINDOWS\system32\bdmreg.exe
C:\Program Files\MSNCS\data\vssvcm.exe
C:\Program Files\MSNCS\data\dpnsvrm.exe
c:\windows\system32\grr.exe

Do next please...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\ativpsrm.bin
C:\WINDOWS\system32\khffcyx.dll.vir

Folder::
C:\Program Files\ApplePie

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#7
kkqwel
Posted 08 November 2007 - 03:43 PM

kkqwel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi

Here are the updated scans


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:48 PM, on 08/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\grr.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSNCS\data\dpnsvrm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\MSNCS\data\vssvcm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [adsnwm] C:\WINDOWS\system32\adsnwm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bdmreg] C:\WINDOWS\system32\bdmreg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188475865671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188475840046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://D:\Resources\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Greyware Registry Rearguard - Greyware Automation Products, Inc. - c:\windows\system32\grr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8742 bytes



ComboFix 07-11-08.1 - Karl 2007-11-08 16:32:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.561 [GMT -5:00]
Running from: C:\Documents and Settings\Karl\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Karl\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\ativpsrm.bin
C:\WINDOWS\system32\khffcyx.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ApplePie
C:\Program Files\ApplePie\bho.dat
C:\Program Files\ApplePie\er.dat
C:\Program Files\ApplePie\ie-improver.dll
C:\Program Files\ApplePie\uninstall.exe
C:\WINDOWS\ativpsrm.bin
C:\WINDOWS\system32\khffcyx.dll.vir

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-08 14:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 14:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 22:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-07 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-07 14:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-07 14:31 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\Uniblue
2007-11-07 14:22 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\Microsoft Web Folders
2007-11-07 10:15 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\OfficeUpdate12
2007-11-07 00:35 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-27 01:07 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 05:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 21:51 --------- d-----w C:\Program Files\MSN Messenger
2007-11-07 19:22 --------- d-----w C:\Program Files\Google
2007-11-07 13:55 --------- d-----w C:\Program Files\Java
2007-10-27 16:36 --------- d-----w C:\Program Files\EA GAMES
2007-10-09 15:12 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-10-08 22:23 --------- d-----w C:\Program Files\Kodak
2007-10-02 16:08 --------- d-----w C:\Documents and Settings\Karl\Application Data\dvdcss
2007-10-02 00:17 --------- d-----w C:\Documents and Settings\Annie\Application Data\DivX
2007-10-01 18:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-01 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\DFX
2007-10-01 02:04 --------- d-----w C:\Program Files\LimeWire
2007-09-30 01:53 --------- d-sh--r C:\Program Files\MSNCS
2007-09-29 10:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-25 20:07 --------- d-sh--r C:\Program Files\SCPP
2007-09-25 20:03 --------- d-----w C:\Program Files\Messenger Detect
2007-09-25 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Detect
2007-09-22 18:42 --------- d-----w C:\Program Files\DivX
2007-05-17 17:11 47,360 ----a-w C:\Documents and Settings\Karl\Application Data\pcouffin.sys
2007-04-29 17:25 87,608 ----a-w C:\Documents and Settings\Karl\Application Data\ezpinst.exe
2004-10-01 19:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-08_14.45.26.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 19:41:56 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
+ 2007-11-08 21:34:47 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-06-20 16:16]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 14:49]
"adsnwm"="C:\WINDOWS\system32\adsnwm.exe" [2007-04-04 22:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-05 16:21]
"bdmreg"="C:\WINDOWS\system32\bdmreg.exe" [2007-08-21 19:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-26 13:10:45]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-03-05 19:42:40]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-12-24 14:15:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=0 (0x0)
"DisableChangePassword"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak Picture Transfer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak Picture Transfer.lnk
backup=C:\WINDOWS\pss\Kodak Picture Transfer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R2 AgentCD;Driver::Agent Class Driver;\??\C:\WINDOWS\system32\DRIVERS\agentcd.sys
R2 Greyware Registry Rearguard;Greyware Registry Rearguard;c:\windows\system32\grr.exe
R2 SIODRV;SIODRV;\??\C:\WINDOWS\system32\drivers\SIODRV.SYS
R3 smbusp;Intel® SMBus 2.0 Driver;C:\WINDOWS\system32\DRIVERS\smb.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys
S3 HostKnl;HostKnl;\??\C:\WINDOWS\system32\DRIVERS\HostKnl.sys
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys
S3 rtl8029;Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8029.SYS
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmHidLo;Logitech WingMan USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{614a7558-092e-11dc-9308-0048541f6c7a}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 16:36:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 16:38:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-08 14:46
.
--- E O F ---
  • 0

#8
miekiemoes
Posted 08 November 2007 - 04:22 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

The grr.exe is related with your Greyware Registry Rearguard.

This looks Ok again (apart from the MSN Spy, but you choose to keep that one).

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Let me know in your next reply how things are now.
  • 0

#9
kkqwel
Posted 08 November 2007 - 05:17 PM

kkqwel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Ok I have a few questions and remarks.


Does Combifix actually remove any files or change settings etc. ? Because since I ran those scans/tests the problem of browser hikackiing seems to have been eliminated ?

I have since removed Combifix and updated the Java as requested and everything is still working ok.

The other thing I have noticed is that I have been using Spybot over the last few days as well and everything has been fixed there except for one Malware called " 2Search", Spybot cleans it but it's still there when I do a new scan could this be aprt of the problem also ? Any way to get rid of that one?

Regards,

Karl

Edited by kkqwel, 08 November 2007 - 05:17 PM.

  • 0

#10
miekiemoes
Posted 08 November 2007 - 05:24 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Does Combifix actually remove any files or change settings etc. ? Because since I ran those scans/tests the problem of browser hikackiing seems to have been eliminated ?

Yes, it does. And we removed the other infections Combofix didn't remove with the CFScript we created.

The other thing I have noticed is that I have been using Spybot over the last few days as well and everything has been fixed there except for one Malware called " 2Search", Spybot cleans it but it's still there when I do a new scan could this be aprt of the problem also ? Any way to get rid of that one?

Can you let me know what exactly Spybot is detecting as 2search? What file? In what folder is it present? Or what exact registry key?
Is this one still present? Because Combofix could have deleted it already previously, or the CFScript we used.
So scan again with Spybot and see if it still detects the same.
If so, let Spybot fix it, reboot and then rescan once again to see if spybot is still displaying it. Because previously, you were indeed infected and I know Spybot couldn't deal with it. Then we used Combofix and Combofix deleted the active infection, so this time, if you scan once again with Spybot afterwards, it will still find some leftovers and clean them, but this time, they won't return anymore since the active infection is gone.
  • 0

#11
kkqwel
Posted 08 November 2007 - 07:28 PM

kkqwel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
hi,


Just ran Spybot and all is good it no longer detects that 2Search. Thank you very much for your help it was very much appreciated.
  • 0

#12
miekiemoes
Posted 09 November 2007 - 01:07 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
  • 0

#13
miekiemoes
Posted 12 November 2007 - 01:05 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP