Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Downloaders/God Knows what =( [RESOLVED]


  • This topic is locked This topic is locked

#1
hamik

hamik

    Member

  • Member
  • PipPip
  • 61 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:03 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Adobe Premiere Pro 2.0\Adobe Premiere Pro.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hamik\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.229.236.106:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://www.earthcall...serAgentCAB.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 3587 bytes
Thanks, I got rid of a lot of stuff myself ,but I just can't figure whats wrong =(
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
hamik

hamik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Seems cleaner to my eyes, and seems to function better as well.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:59 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\hamik\Desktop\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.229.236.106:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://www.earthcall...serAgentCAB.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 2700 bytes

ComboFix 08-02-25.3 - hamik 2008-02-25 20:47:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.326 [GMT -8:00]
Running from: C:\Documents and Settings\hamik\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\hamik\My Documents\ICROSO~1
C:\Documents and Settings\hamik\My Documents\ICROSO~1\r?gedit.exe
C:\Documents and Settings\hamik\Start Menu\Programs\Outerinfo
C:\Documents and Settings\hamik\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\hamik\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\LocalService\Application Data\WinTouch
C:\Documents and Settings\LocalService\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\LocalService\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\LocalService\Application Data\WinTouch\WTUninstaller.exe
C:\Program Files\bifrost\klog.dat
C:\Program Files\bifrost\server.exe
C:\Program Files\Common Files\qfuf
C:\Program Files\Common Files\qfuf\qfufa.lck
C:\Program Files\Common Files\qfuf\qfufd\class-barrel
C:\Program Files\Common Files\qfuf\qfufd\qfufc.dll
C:\Program Files\Common Files\qfuf\qfufd\vocabulary
C:\Program Files\Common Files\qfuf\qfufh
C:\Program Files\Common Files\qfuf\qfufl.exe
C:\Program Files\Common Files\qfuf\qfufl.lck
C:\Program Files\Common Files\qfuf\qfufm.exe
C:\Program Files\Common Files\qfuf\qfufm.lck
C:\Program Files\Common Files\qfuf\qfufp.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~1\?racle\
C:\Program Files\Common Files\racle~1\regedit.exe
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\WINDOWS\b152.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\qfuf
C:\WINDOWS\qfuf\qfuf.dat
C:\WINDOWS\qfuf\wu
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\command.pif
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-24 20:20 . 2008-02-24 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-24 18:53 . 2008-02-24 18:53 <DIR> d-------- C:\Documents and Settings\hamik\Application Data\VisiFly
2008-02-24 18:11 . 2008-02-24 18:11 <DIR> d-------- C:\Program Files\VisiFly
2008-02-24 18:11 . 2008-02-24 18:11 <DIR> d-------- C:\Program Files\Common Files\GeoVid
2008-02-24 18:11 . 2008-02-24 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GeoVid
2008-02-24 18:11 . 2004-08-18 15:00 1,712,128 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-24 18:11 . 2003-03-19 08:19 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-24 18:11 . 2003-03-19 08:12 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2008-02-24 18:11 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-24 18:11 . 2003-03-19 07:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-24 18:11 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-24 18:11 . 2003-03-19 06:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-24 18:11 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-02-24 18:11 . 2005-06-07 15:11 60,416 --a------ C:\WINDOWS\system32\dsetup.dll
2008-02-24 17:23 . 2008-02-25 19:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-24 17:23 . 2008-02-24 17:23 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-24 17:16 . 2008-02-24 17:16 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-02-24 16:03 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-02-24 16:03 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-02-24 16:03 . 2004-08-04 00:56 20,992 --a------ C:\WINDOWS\system32\dshowext.ax
2008-02-24 16:03 . 2004-08-04 00:56 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax
2008-02-23 21:02 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002431_.tmp
2008-02-23 20:23 . 2008-02-23 20:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-23 20:18 . 2004-08-04 00:56 10,752 --a------ C:\WINDOWS\hh.exe
2008-02-23 20:16 . 2004-08-03 23:07 6,016 --------- C:\WINDOWS\system32\drivers\smbali.sys
2008-02-23 20:08 . 2004-08-04 00:56 143,872 --a------ C:\WINDOWS\system32\itircl.dll
2008-02-23 20:08 . 2004-08-04 00:56 134,144 --a------ C:\WINDOWS\system32\itss.dll
2008-02-23 20:08 . 2004-08-04 00:56 68,608 --a------ C:\WINDOWS\system32\joy.cpl
2008-02-23 20:08 . 2004-08-04 00:56 38,912 --a------ C:\WINDOWS\system32\hhsetup.dll
2008-02-23 20:06 . 2002-06-14 17:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-02-23 20:04 . 2004-08-04 00:56 140,288 --a------ C:\WINDOWS\system32\sfc_os.dll
2008-02-23 18:15 . 2008-02-23 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zenturi
2008-02-23 17:20 . 2008-02-23 17:20 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-23 16:42 . 2008-02-23 17:10 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-23 16:42 . 2008-02-23 16:42 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-23 16:40 . 2008-02-23 16:40 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-23 16:40 . 2008-02-25 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-23 16:40 . 2008-02-25 20:53 1,516,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-23 16:40 . 2008-02-25 20:52 106,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-23 16:40 . 2008-02-25 20:52 21,332 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-23 16:40 . 2008-02-25 20:52 9,140 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-23 16:38 . 2008-02-23 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-02-23 15:38 . 2008-02-23 15:38 40,960 --a------ C:\WINDOWS\system32\fwehg.exe
2008-02-23 15:38 . 2008-02-23 15:38 40,960 --a------ C:\WINDOWS\gsdtwenfgh.exe
2008-02-23 15:38 . 2008-02-23 15:38 20,480 --a------ C:\WINDOWS\quit.exe
2008-02-23 13:41 . 2008-02-23 13:41 <DIR> d-------- C:\Program Files\NoDNS
2008-02-23 12:05 . 2008-02-23 12:05 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-02-23 12:04 . 2008-02-23 12:04 <DIR> d-------- C:\Program Files\Deskshare
2008-02-23 12:04 . 2008-02-23 12:04 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2008-02-23 12:04 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\Unicows.dll
2008-02-23 11:59 . 2008-02-23 12:04 <DIR> d-------- C:\Documents and Settings\hamik\avidemux
2008-02-23 09:40 . 2006-08-24 13:44 477,696 --a------ C:\WINDOWS\system32\drivers\ZD1211BU.sys
2008-02-23 09:25 . 2003-03-04 11:56 145,408 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-02-23 09:25 . 2003-03-03 15:26 118,784 --a------ C:\WINDOWS\system32\Prounstl.exe
2008-02-23 09:25 . 2002-12-29 04:00 24,064 --a------ C:\WINDOWS\system32\IntelNic.dll
2008-02-23 09:25 . 2003-02-03 05:26 12,288 --a------ C:\WINDOWS\system32\e100bmsg.dll
2008-02-23 09:25 . 2002-06-27 05:53 5,110 -ra------ C:\WINDOWS\system32\e100b325.din
2008-02-23 08:52 . 2008-02-23 18:49 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-22 18:12 . 2008-02-22 18:12 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-02-21 20:57 . 2008-02-21 20:57 <DIR> d-------- C:\Program Files\Proxy Switcher Standard
2008-02-21 20:57 . 2008-02-21 20:57 <DIR> d-------- C:\Documents and Settings\hamik\Application Data\WNR
2008-02-21 20:19 . 2008-02-23 17:10 <DIR> d--hs---- C:\WINDOWS\aGFtaWs
2008-02-21 20:09 . 2008-02-21 20:09 <DIR> d-------- C:\Program Files\JavaCore
2008-02-20 18:45 . 2006-03-07 09:30 163,080 --a------ C:\WINDOWS\system32\http60.ocx
2008-02-20 18:05 . 2008-02-20 18:05 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-20 18:05 . 2008-02-20 18:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-20 18:05 . 2008-02-20 18:05 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-02-20 18:05 . 2008-02-20 18:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-20 18:05 . 2008-02-20 18:05 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-02-20 18:03 . 2008-02-20 18:03 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-02-20 18:03 . 2008-02-20 18:03 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-02-20 18:03 . 2008-02-20 18:03 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-20 18:03 . 2008-02-20 18:03 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-19 21:42 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2008-02-19 21:42 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2008-02-19 21:42 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2008-02-19 21:42 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-02-19 21:42 . 2001-08-22 08:42 13,632 --------- C:\WINDOWS\system32\drivers\omci.sys
2008-02-19 21:42 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-02-19 21:29 . 2004-08-03 14:03 167,704 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-02-19 21:18 . 2003-07-16 12:23 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-02-19 21:18 . 2003-07-16 12:37 111,104 --a--c--- C:\WINDOWS\system32\dllcache\mtstocom.exe
2008-02-19 21:18 . 2004-08-03 23:04 79,360 --a--c--- C:\WINDOWS\system32\dllcache\phon.ime
2008-02-19 21:18 . 2001-08-17 22:36 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll
2008-02-19 21:18 . 2003-07-16 12:23 36,927 --a--c--- C:\WINDOWS\system32\dllcache\padrs411.dll
2008-02-19 21:18 . 2003-07-16 12:23 15,872 --a--c--- C:\WINDOWS\system32\dllcache\padrs404.dll
2008-02-19 21:18 . 2003-07-16 12:23 15,360 --a--c--- C:\WINDOWS\system32\dllcache\padrs804.dll
2008-02-19 21:18 . 2003-07-16 12:23 14,336 --a--c--- C:\WINDOWS\system32\dllcache\padrs412.dll
2008-02-19 21:11 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-02-19 21:06 . 2008-02-19 21:06 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-19 21:06 . 2008-02-19 21:06 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-19 21:06 . 2008-02-19 21:06 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-19 21:06 . 2008-02-19 21:06 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-19 21:06 . 2008-02-19 21:06 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-19 21:05 . 2004-08-04 00:56 678,400 --a------ C:\WINDOWS\system32\inetcomm.dll
2008-02-19 21:05 . 2004-08-04 00:56 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2008-02-19 21:05 . 2004-08-04 00:56 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2008-02-19 21:05 . 2004-08-04 00:56 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2008-02-19 21:05 . 2003-07-16 12:30 73,728 --a--c--- C:\WINDOWS\system32\dllcache\icwtutor.exe
2008-02-19 21:05 . 2003-07-16 12:30 61,440 --a--c--- C:\WINDOWS\system32\dllcache\icwres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 04:47 --------- d-----w C:\Program Files\Bifrost
2008-02-25 01:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-24 05:25 --------- d-----w C:\Program Files\MSN Messenger
2008-02-24 02:49 --------- d-----w C:\Program Files\mIRC
2008-02-23 20:03 --------- d-----w C:\Documents and Settings\hamik\Application Data\gtk-2.0
2008-02-23 17:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 02:40 --------- d-----w C:\Program Files\DivX
2008-02-23 01:12 357 ----a-w C:\Documents and Settings\hamik\.cb_layout.bin
2008-02-22 04:31 10 ----a-w C:\Program Files\.autoreg
2008-02-21 03:58 --------- d-----w C:\Documents and Settings\hamik\Application Data\BitTorrent
2008-02-20 06:25 --------- d-----w C:\Program Files\CodeBlocks
2008-02-19 04:09 --------- d-----w C:\Documents and Settings\hamik\Application Data\mIRC
2008-02-05 06:10 --------- d-----w C:\Program Files\WinPcap
2008-02-04 22:35 --------- d-----w C:\Program Files\Steam
2008-02-03 02:37 --------- d-----w C:\Program Files\Cheat Engine
2008-02-01 00:20 --------- d-----w C:\Program Files\Accessdiver
2008-01-25 04:31 --------- d-----w C:\Documents and Settings\hamik\Application Data\Microsoft Web Folders
2008-01-25 04:30 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-25 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2008-01-25 01:40 --------- d-----w C:\Program Files\PokerStars
2008-01-25 00:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-01-25 00:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2008-01-23 02:18 --------- d-----w C:\Documents and Settings\hamik\Application Data\Corel
2008-01-20 01:29 784 ----a-w C:\Documents and Settings\hamik\Application Data\mpauth.dat
2008-01-15 23:56 --------- d-----w C:\Program Files\ZyDAS Technology Corporation
2008-01-12 20:34 --------- d-----w C:\Program Files\Smart Projects
2008-01-06 20:47 26,112 ----a-w C:\WINDOWS\WAVEMIX.DLL
2008-01-06 20:47 21,008 ----a-w C:\WINDOWS\CTL3D.DLL
2008-01-06 20:47 13,712 ----a-w C:\WINDOWS\INSPACE.SCR
2008-01-05 01:31 --------- d-----w C:\Program Files\Gpotato
2007-12-29 06:19 --------- d-----w C:\Program Files\V8Software
2007-12-26 05:00 --------- d-----w C:\Program Files\BearShare
2007-08-07 20:30 163,840 ----a-w C:\Program Files\Common Files\hory77798.exe
2005-08-03 00:58 293,888 --sha-r C:\WINDOWS\aGFtaWs\command.exe
2005-07-30 00:24 472 --sha-r C:\WINDOWS\aGFtaWs\u3IQuqP.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
C:\WINDOWS\System32\catsrvut.dll 2004-08-04 00:56 628224 C:\WINDOWS\system32\catsrvut.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-21 02:50:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 20:53:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-25 20:58:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 04:58:47
.
2008-01-25 02:18:18 --- E O F ---
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\002431_.tmp
C:\WINDOWS\system32\fwehg.exe
C:\WINDOWS\gsdtwenfgh.exe
C:\WINDOWS\quit.exe
C:\Program Files\Common Files\hory77798.exe
Folder::
C:\WINDOWS\aGFtaWs


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#5
hamik

hamik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:15 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hamik\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.229.236.106:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://www.earthcall...serAgentCAB.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 2882 bytes





ComboFix 08-02-25.3 - hamik 2008-02-26 16:14:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.235 [GMT -8:00]
Running from: C:\Documents and Settings\hamik\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\hamik\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\hory77798.exe
C:\WINDOWS\002431_.tmp
C:\WINDOWS\gsdtwenfgh.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\fwehg.exe
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\hory77798.exe
C:\WINDOWS\002431_.tmp
C:\WINDOWS\aGFtaWs
C:\WINDOWS\aGFtaWs\u3IQuqP.vbs
C:\WINDOWS\gsdtwenfgh.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\fwehg.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-24 20:20 . 2008-02-24 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-24 18:53 . 2008-02-24 18:53 <DIR> d-------- C:\Documents and Settings\hamik\Application Data\VisiFly
2008-02-24 18:11 . 2008-02-24 18:11 <DIR> d-------- C:\Program Files\VisiFly
2008-02-24 18:11 . 2008-02-24 18:11 <DIR> d-------- C:\Program Files\Common Files\GeoVid
2008-02-24 18:11 . 2008-02-24 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GeoVid
2008-02-24 18:11 . 2004-08-18 15:00 1,712,128 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-24 18:11 . 2003-03-19 08:19 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-24 18:11 . 2003-03-19 08:12 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2008-02-24 18:11 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-24 18:11 . 2003-03-19 07:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-24 18:11 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-24 18:11 . 2003-03-19 06:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-24 18:11 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-02-24 18:11 . 2005-06-07 15:11 60,416 --a------ C:\WINDOWS\system32\dsetup.dll
2008-02-24 17:23 . 2008-02-25 19:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-24 17:23 . 2008-02-24 17:23 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-24 17:16 . 2008-02-24 17:16 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-02-24 16:03 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-02-24 16:03 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-02-24 16:03 . 2004-08-04 00:56 20,992 --a------ C:\WINDOWS\system32\dshowext.ax
2008-02-24 16:03 . 2004-08-04 00:56 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax
2008-02-23 20:23 . 2008-02-23 20:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-23 20:18 . 2004-08-04 00:56 10,752 --a------ C:\WINDOWS\hh.exe
2008-02-23 20:16 . 2004-08-03 23:07 6,016 --------- C:\WINDOWS\system32\drivers\smbali.sys
2008-02-23 20:08 . 2004-08-04 00:56 143,872 --a------ C:\WINDOWS\system32\itircl.dll
2008-02-23 20:08 . 2004-08-04 00:56 134,144 --a------ C:\WINDOWS\system32\itss.dll
2008-02-23 20:08 . 2004-08-04 00:56 68,608 --a------ C:\WINDOWS\system32\joy.cpl
2008-02-23 20:08 . 2004-08-04 00:56 38,912 --a------ C:\WINDOWS\system32\hhsetup.dll
2008-02-23 20:06 . 2002-06-14 17:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-02-23 20:04 . 2004-08-04 00:56 140,288 --a------ C:\WINDOWS\system32\sfc_os.dll
2008-02-23 18:15 . 2008-02-23 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zenturi
2008-02-23 17:20 . 2008-02-23 17:20 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-23 16:42 . 2008-02-23 17:10 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-23 16:42 . 2008-02-23 16:42 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-23 16:40 . 2008-02-23 16:40 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-23 16:40 . 2008-02-26 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-23 16:40 . 2008-02-26 16:28 1,686,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-23 16:40 . 2008-02-26 16:28 106,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-23 16:40 . 2008-02-26 16:28 23,588 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-23 16:40 . 2008-02-26 16:28 9,692 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-23 16:38 . 2008-02-23 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-02-23 13:41 . 2008-02-23 13:41 <DIR> d-------- C:\Program Files\NoDNS
2008-02-23 12:05 . 2008-02-23 12:05 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-02-23 12:04 . 2008-02-23 12:04 <DIR> d-------- C:\Program Files\Deskshare
2008-02-23 12:04 . 2008-02-23 12:04 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2008-02-23 12:04 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\Unicows.dll
2008-02-23 11:59 . 2008-02-23 12:04 <DIR> d-------- C:\Documents and Settings\hamik\avidemux
2008-02-23 09:40 . 2006-08-24 13:44 477,696 --a------ C:\WINDOWS\system32\drivers\ZD1211BU.sys
2008-02-23 09:25 . 2003-03-04 11:56 145,408 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-02-23 09:25 . 2003-03-03 15:26 118,784 --a------ C:\WINDOWS\system32\Prounstl.exe
2008-02-23 09:25 . 2002-12-29 04:00 24,064 --a------ C:\WINDOWS\system32\IntelNic.dll
2008-02-23 09:25 . 2003-02-03 05:26 12,288 --a------ C:\WINDOWS\system32\e100bmsg.dll
2008-02-23 09:25 . 2002-06-27 05:53 5,110 -ra------ C:\WINDOWS\system32\e100b325.din
2008-02-23 08:52 . 2008-02-23 18:49 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-22 18:12 . 2008-02-22 18:12 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-02-21 20:57 . 2008-02-21 20:57 <DIR> d-------- C:\Program Files\Proxy Switcher Standard
2008-02-21 20:57 . 2008-02-21 20:57 <DIR> d-------- C:\Documents and Settings\hamik\Application Data\WNR
2008-02-21 20:09 . 2008-02-21 20:09 <DIR> d-------- C:\Program Files\JavaCore
2008-02-20 18:45 . 2006-03-07 09:30 163,080 --a------ C:\WINDOWS\system32\http60.ocx
2008-02-20 18:05 . 2008-02-20 18:05 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-20 18:05 . 2008-02-20 18:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-20 18:05 . 2008-02-20 18:05 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-02-20 18:05 . 2008-02-20 18:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-20 18:05 . 2008-02-20 18:05 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-02-20 18:03 . 2008-02-20 18:03 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-02-20 18:03 . 2008-02-20 18:03 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-02-20 18:03 . 2008-02-20 18:03 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-20 18:03 . 2008-02-20 18:03 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-19 21:42 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2008-02-19 21:42 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2008-02-19 21:42 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2008-02-19 21:42 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-02-19 21:42 . 2001-08-22 08:42 13,632 --------- C:\WINDOWS\system32\drivers\omci.sys
2008-02-19 21:42 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-02-19 21:29 . 2004-08-03 14:03 167,704 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-02-19 21:18 . 2003-07-16 12:23 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-02-19 21:18 . 2003-07-16 12:37 111,104 --a--c--- C:\WINDOWS\system32\dllcache\mtstocom.exe
2008-02-19 21:18 . 2004-08-03 23:04 79,360 --a--c--- C:\WINDOWS\system32\dllcache\phon.ime
2008-02-19 21:18 . 2001-08-17 22:36 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll
2008-02-19 21:18 . 2003-07-16 12:23 36,927 --a--c--- C:\WINDOWS\system32\dllcache\padrs411.dll
2008-02-19 21:18 . 2003-07-16 12:23 15,872 --a--c--- C:\WINDOWS\system32\dllcache\padrs404.dll
2008-02-19 21:18 . 2003-07-16 12:23 15,360 --a--c--- C:\WINDOWS\system32\dllcache\padrs804.dll
2008-02-19 21:18 . 2003-07-16 12:23 14,336 --a--c--- C:\WINDOWS\system32\dllcache\padrs412.dll
2008-02-19 21:11 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-02-19 21:06 . 2008-02-19 21:06 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-19 21:06 . 2008-02-19 21:06 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-19 21:06 . 2008-02-19 21:06 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-19 21:06 . 2008-02-19 21:06 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-19 21:06 . 2008-02-19 21:06 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-19 21:05 . 2004-08-04 00:56 678,400 --a------ C:\WINDOWS\system32\inetcomm.dll
2008-02-19 21:05 . 2004-08-04 00:56 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2008-02-19 21:05 . 2004-08-04 00:56 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2008-02-19 21:05 . 2004-08-04 00:56 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2008-02-19 21:05 . 2003-07-16 12:30 73,728 --a--c--- C:\WINDOWS\system32\dllcache\icwtutor.exe
2008-02-19 21:05 . 2003-07-16 12:30 61,440 --a--c--- C:\WINDOWS\system32\dllcache\icwres.dll
2008-02-19 21:05 . 2003-07-16 12:48 40,960 --a--c--- C:\WINDOWS\system32\dllcache\trialoc.dll
2008-02-19 21:05 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-02-19 21:05 . 2004-08-04 00:56 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2008-02-19 20:58 . 2003-07-16 12:39 1,086,182 -ra------ C:\WINDOWS\SET63.tmp
2008-02-19 20:57 . 2008-02-23 20:23 1,278,292 --a------ C:\WINDOWS\setupapi.log.1.old

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 00:08 --------- d-----w C:\Documents and Settings\hamik\Application Data\Corel
2008-02-26 04:47 --------- d-----w C:\Program Files\Bifrost
2008-02-25 01:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-24 05:25 --------- d-----w C:\Program Files\MSN Messenger
2008-02-24 02:49 --------- d-----w C:\Program Files\mIRC
2008-02-23 20:03 --------- d-----w C:\Documents and Settings\hamik\Application Data\gtk-2.0
2008-02-23 17:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 02:40 --------- d-----w C:\Program Files\DivX
2008-02-23 01:12 357 ----a-w C:\Documents and Settings\hamik\.cb_layout.bin
2008-02-22 04:31 10 ----a-w C:\Program Files\.autoreg
2008-02-21 03:58 --------- d-----w C:\Documents and Settings\hamik\Application Data\BitTorrent
2008-02-20 06:25 --------- d-----w C:\Program Files\CodeBlocks
2008-02-19 04:09 --------- d-----w C:\Documents and Settings\hamik\Application Data\mIRC
2008-02-05 06:10 --------- d-----w C:\Program Files\WinPcap
2008-02-04 22:35 --------- d-----w C:\Program Files\Steam
2008-02-03 02:37 --------- d-----w C:\Program Files\Cheat Engine
2008-02-01 00:20 --------- d-----w C:\Program Files\Accessdiver
2008-01-25 04:31 --------- d-----w C:\Documents and Settings\hamik\Application Data\Microsoft Web Folders
2008-01-25 04:30 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-25 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2008-01-25 01:40 --------- d-----w C:\Program Files\PokerStars
2008-01-25 00:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-01-25 00:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2008-01-20 01:29 784 ----a-w C:\Documents and Settings\hamik\Application Data\mpauth.dat
2008-01-15 23:56 --------- d-----w C:\Program Files\ZyDAS Technology Corporation
2008-01-12 20:34 --------- d-----w C:\Program Files\Smart Projects
2008-01-06 20:47 26,112 ----a-w C:\WINDOWS\WAVEMIX.DLL
2008-01-06 20:47 21,008 ----a-w C:\WINDOWS\CTL3D.DLL
2008-01-06 20:47 13,712 ----a-w C:\WINDOWS\INSPACE.SCR
2008-01-05 01:31 --------- d-----w C:\Program Files\Gpotato
2007-12-29 06:19 --------- d-----w C:\Program Files\V8Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
C:\WINDOWS\System32\catsrvut.dll 2004-08-04 00:56 628224 C:\WINDOWS\system32\catsrvut.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\Program Files\\AIM\\aim.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-21 02:50:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 16:29:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-02-26 16:34:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-27 00:34:42
ComboFix2.txt 2008-02-26 04:59:00
.
2008-01-25 02:18:18 --- E O F ---
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please navigate to and delete the following folder and file:

C:\Program Files\Bifrost <== folder
C:\WINDOWS\000001_.tmp <== file

Let me know in your next reply how things are now.
  • 0

#7
hamik

hamik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Things are running smoothly, thanks for the help man.

Edited by hamik, 27 February 2008 - 07:07 PM.

  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP