Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde Infection [RESOLVED]


  • This topic is locked This topic is locked

#16
preller

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here goes......


ComboFix.log


ComboFix 08-04-10.9 - Computer 2008-04-11 18:41:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.556 [GMT 2:00]
Running from: C:\Documents and Settings\Computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Computer\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SET92.tmp
C:\WINDOWS\SET93.tmp
C:\WINDOWS\SET94.tmp
C:\WINDOWS\SET9E.tmp
C:\WINDOWS\SET9F.tmp
C:\WINDOWS\SETA0.tmp
C:\WINDOWS\system32\caiisdfo.ini
C:\WINDOWS\system32\gborbmuj.ini
C:\WINDOWS\system32\ghnlrxog.ini
C:\WINDOWS\system32\htwtxxnw.dll_old
C:\WINDOWS\system32\irvjpuyx.ini
C:\WINDOWS\system32\iywvgatj.ini
C:\WINDOWS\system32\nmxgfnhy.ini
C:\WINDOWS\system32\ooktllug.dll
C:\WINDOWS\system32\qjfjponr.ini
C:\WINDOWS\system32\test12.exe
C:\WINDOWS\system32\tsjcsjnv.ini
C:\WINDOWS\system32\urqQkjIb.dll_old
C:\WINDOWS\system32\wnxxtwth.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SET92.tmp
C:\WINDOWS\SET93.tmp
C:\WINDOWS\SET94.tmp
C:\WINDOWS\SET9E.tmp
C:\WINDOWS\SET9F.tmp
C:\WINDOWS\SETA0.tmp
C:\WINDOWS\system32\caiisdfo.ini
C:\WINDOWS\system32\gborbmuj.ini
C:\WINDOWS\system32\ghnlrxog.ini
C:\WINDOWS\system32\htwtxxnw.dll_old
C:\WINDOWS\system32\irvjpuyx.ini
C:\WINDOWS\system32\iywvgatj.ini
C:\WINDOWS\system32\nmxgfnhy.ini
C:\WINDOWS\system32\ooktllug.dll
C:\WINDOWS\system32\qjfjponr.ini
C:\WINDOWS\system32\test12.exe
C:\WINDOWS\system32\tsjcsjnv.ini
C:\WINDOWS\system32\urqQkjIb.dll_old
C:\WINDOWS\system32\wnxxtwth.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EIM72
-------\Legacy_WINDOWS_IPSEC_MONITOR
-------\Service_Eim72
-------\Service_Windows IPSEC Monitor


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 18:24 . 2006-02-15 02:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-04-11 18:15 . 2008-04-11 18:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-11 18:10 . 2008-04-11 18:31 <DIR> d-------- C:\SDFix
2008-04-10 16:34 . 2008-04-10 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-10 11:55 . 2006-11-27 16:54 539,136 -----c--- C:\WINDOWS\system32\dllcache\msftedit.dll
2008-04-10 11:40 . 2007-07-09 15:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-10 11:33 . 2006-06-14 11:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-10 11:33 . 2006-06-14 10:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-10 11:04 . 2008-04-10 11:04 <DIR> d---s---- C:\Documents and Settings\Computer\UserData
2008-04-10 08:56 . 2008-04-10 08:56 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-10 08:42 . 2008-04-10 08:42 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-09 18:52 . 2008-04-09 18:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 16:57 . 2008-04-10 09:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-09 16:57 . 2008-04-10 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 14:27 . 2005-07-20 18:08 327,808 --a------ C:\WINDOWS\system32\drivers\akshasp.sys
2008-04-09 13:36 . 2008-04-09 13:44 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-04-09 11:37 . 2008-04-09 16:16 <DIR> d-------- C:\VundoFix Backups
2008-04-04 15:15 . 2008-04-04 15:15 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\Microsoft Web Folders
2008-04-04 13:57 . 2008-04-04 13:57 <DIR> d-------- C:\Documents and Settings\Trish\Application Data\ATI
2008-04-04 13:56 . 2008-04-04 13:56 <DIR> d-------- C:\Documents and Settings\Trish\Application Data\Bitdefender
2008-04-03 14:41 . 2008-04-03 14:42 <DIR> d-------- C:\Program Files\OpenOffice.org 2.1
2008-04-03 14:25 . 2006-04-28 01:51 29,968 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-03 14:10 . 2008-04-03 14:10 <DIR> d-------- C:\Program Files\MSBuild
2008-04-03 14:07 . 2008-04-03 14:07 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-03 13:59 . 2008-04-09 16:06 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-03 13:58 . 2008-04-03 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-03 13:56 . 2008-04-03 13:56 <DIR> dr-h----- C:\MSOCache
2008-04-03 13:36 . 2008-04-11 14:28 1,021 --a------ C:\WINDOWS\wininit.ini
2008-04-03 11:28 . 2008-04-03 11:28 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-04-03 11:14 . 2008-04-03 11:14 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\CyberScrub
2008-04-03 11:10 . 2008-04-03 11:10 <DIR> d-------- C:\Program Files\Genie-Soft
2008-04-03 11:10 . 2008-04-03 11:10 <DIR> d-------- C:\Program Files\Common Files\Genie-Soft Shared
2008-04-02 17:55 . 2008-04-02 17:55 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\ATI
2008-04-02 17:54 . 2008-04-02 17:54 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\Bitdefender
2008-04-02 16:57 . 2008-04-09 17:01 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-02 16:57 . 2008-04-09 17:07 4,638 --a------ C:\WINDOWS\unins000.dat
2008-04-02 16:20 . 2004-08-04 00:56 380,416 --a------ C:\WINDOWS\system32\irprops.cpl
2008-04-02 16:20 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-02 16:20 . 2007-07-30 19:19 216,408 --a--c--- C:\WINDOWS\system32\dllcache\wuaucpl.cpl
2008-04-02 16:19 . 2005-07-26 01:46 7,680 --a--c--- C:\WINDOWS\system32\dllcache\migregdb.exe
2008-04-02 16:18 . 2008-04-02 16:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-02 16:12 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002509_.tmp
2008-04-02 15:53 . 2008-04-02 16:37 414 --ahs---- C:\WINDOWS\system32\tcdfbupe.ini
2008-04-02 15:52 . 2004-08-04 00:56 192,000 --a------ C:\WINDOWS\system32\iuengine.dll
2008-04-02 15:34 . 2001-12-26 22:52 27,136 -ra------ C:\WINDOWS\system32\drivers\SISAGP.SYS
2008-04-02 15:34 . 2001-12-26 22:52 27,136 --a--c--- C:\WINDOWS\system32\dllcache\sisagp.sys
2008-04-02 15:18 . 2004-08-03 22:32 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-04-02 15:17 . 2001-08-17 22:36 205,824 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_seo.dll
2008-04-02 15:16 . 2004-08-03 22:31 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-04-02 15:15 . 2001-08-18 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-04-02 15:15 . 2001-08-18 14:00 98,304 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.dll
2008-04-02 15:13 . 2001-08-18 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-02 15:12 . 2004-08-03 23:04 78,848 --a--c--- C:\WINDOWS\system32\dllcache\dayi.ime
2008-04-02 15:12 . 2001-08-18 14:00 57,856 --a--c--- C:\WINDOWS\system32\dllcache\esuimgd.dll
2008-04-02 15:12 . 2004-08-03 22:31 57,399 --a--c--- C:\WINDOWS\system32\dllcache\cplexe.exe
2008-04-02 15:12 . 2001-08-18 14:00 45,056 --a--c--- C:\WINDOWS\system32\dllcache\esunid.dll
2008-04-02 15:12 . 2001-08-18 14:00 31,744 --a--c--- C:\WINDOWS\system32\dllcache\esucmd.dll
2008-04-02 15:12 . 2001-08-18 14:00 25,856 --a--c--- C:\WINDOWS\system32\dllcache\et4000.sys
2008-04-02 15:12 . 2001-08-18 14:00 18,944 --a--c--- C:\WINDOWS\system32\dllcache\cprofile.exe
2008-04-02 15:10 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-04-02 15:10 . 2001-08-17 22:36 175,104 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpadm.dll
2008-04-02 15:05 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-04-02 14:55 . 2008-04-02 14:55 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-02 14:55 . 2008-04-02 14:55 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-02 14:55 . 2008-04-02 14:55 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-02 14:55 . 2008-04-02 14:55 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-02 14:55 . 2008-04-02 14:55 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-02 14:48 . 2007-07-30 19:19 1,712,984 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-04-02 14:43 . 2004-08-03 22:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-04-02 13:01 . 2004-08-04 01:01 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-04-02 12:00 . 2004-08-04 00:56 741,376 --a--c--- C:\WINDOWS\system32\dllcache\sapi.dll
2008-04-02 12:00 . 2004-08-04 00:56 155,648 --a--c--- C:\WINDOWS\system32\dllcache\sapi.cpl
2008-04-02 11:59 . 2004-08-04 00:56 146,432 --a------ C:\WINDOWS\system\winspool.drv
2008-04-02 11:59 . 2004-08-04 00:56 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2008-04-02 11:59 . 2001-08-18 14:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-04-02 11:59 . 2001-08-18 14:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-04-02 11:59 . 2001-08-18 14:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-04-02 11:59 . 2001-08-18 14:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-04-02 11:59 . 2004-08-03 23:00 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2008-04-02 11:58 . 2001-08-18 14:00 797,189 --a--c--- C:\WINDOWS\system32\dllcache\NT5IIS.CAT
2008-04-02 11:58 . 2001-08-18 14:00 399,645 --a--c--- C:\WINDOWS\system32\dllcache\MAPIMIG.CAT
2008-04-02 11:58 . 2001-08-18 14:00 37,484 --a--c--- C:\WINDOWS\system32\dllcache\MW770.CAT
2008-04-02 11:58 . 2001-08-18 14:00 13,472 --a--c--- C:\WINDOWS\system32\dllcache\HPCRDP.CAT
2008-04-02 11:58 . 2001-08-18 14:00 8,574 --a--c--- C:\WINDOWS\system32\dllcache\IASNT4.CAT
2008-04-02 11:58 . 2001-08-18 14:00 7,382 --a--c--- C:\WINDOWS\system32\dllcache\OEMBIOS.CAT
2008-04-01 11:39 . 2008-04-01 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RunOff
2008-04-01 11:37 . 2008-04-01 11:37 <DIR> d-------- C:\WINDOWS\system32\AsBackup
2008-04-01 11:32 . 2008-04-01 11:32 41,726 --a------ C:\WINDOWS\system32\PUXPPLAT.UND
2008-03-31 17:27 . 2002-06-21 20:36 412,688 --a------ C:\WINDOWS\system32\drivers\cmuda.sys
2008-03-31 17:27 . 2006-03-17 02:33 262,784 --a------ C:\WINDOWS\system32\drivers\HTTP.sys
2008-03-31 17:27 . 2005-07-20 18:08 100,096 --a------ C:\WINDOWS\system32\drivers\aksusb.sys
2008-03-31 17:27 . 2007-05-07 15:11 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-03-31 17:27 . 2004-08-03 23:00 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2008-03-31 17:27 . 2007-06-18 15:19 17,920 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-03-31 17:27 . 2001-08-17 13:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2008-03-31 17:27 . 2007-01-22 19:33 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-03-31 17:27 . 2001-08-17 15:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-03-31 17:15 . 2008-03-31 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberScrub
2008-03-31 17:14 . 2008-03-31 17:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-03-31 17:14 . 2008-03-31 17:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Bitdefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 13:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-03 09:53 --------- d-----w C:\Program Files\CyberScrub Professional
2008-04-02 09:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 08:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 09:14 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-03-08 09:14 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-03-08 09:08 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-08 09:08 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-03-08 08:34 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-01 12:50 --------- d-----w C:\Program Files\SiSLan
2008-02-18 14:52 --------- d-----w C:\Program Files\Kyodai Mahjongg 2006
2008-02-16 10:42 --------- d-----w C:\Program Files\QuickTime
2008-02-16 10:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-13 16:35 --------- d-----w C:\Program Files\ScanSoft
2008-02-13 16:35 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-02-13 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanWizard
2008-02-13 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
.

((((((((((((((((((((((((((((( [email protected]_16.55.06.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-11 02:14:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-11 16:16:18 2,486,272 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-11 16:16:18 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-11 02:14:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-11 16:16:06 2,486,272 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-11 16:16:06 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-11 14:48:38 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
+ 2008-04-11 16:43:12 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F50C8E0-D3A0-40C0-9F5A-679782F0C22E}]
C:\WINDOWS\system32\urqQkjIb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5B5AE7A-C924-480C-B654-2CDBDC3766D7}]
C:\WINDOWS\system32\rqRIxxYP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC62E4A6-8475-4EBF-B40B-626CE4034800}]
C:\WINDOWS\system32\khfEVmjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-12 20:21 171448]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-05 12:35 335872]
"Cmaudio"="cmicnfg.cpl" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"BM7f3a99d1"="C:\WINDOWS\system32\dqsthepx.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-04-25 21:26 423184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eim72.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kyodai Mahjongg 2006\\kmj.exe"=
"%windir%\\system32\\sessmgr.exe"=

S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-18 15:19]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 09:29:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-11 16:47:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-10 14:34:49 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 18:44:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...
  • 0

Advertisements


#17
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
  • 0

#18
preller

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Herewith GMER log results:


GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-12 15:41:36
Windows 5.1.2600 Service Pack 2


---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs sockspy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000

---- EOF - GMER 1.0.14 ----
  • 0

#19
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok looking good

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HijackThis log
  • 0

#20
preller

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sorry that this took so long! Apart from the download/scan time, I've had a power outage which doesn't help.


Kaspersky follows



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-04-12 20:32
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 700176
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 55565
Number of viruses found: 2
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 00:58:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04102008-085720.log Object is locked skipped
C:\Documents and Settings\Computer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Computer\DoctorWeb\Quarantine\A0028112.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Computer\DoctorWeb\Quarantine\A0028113.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Computer\DoctorWeb\Quarantine\A0028114.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Computer\DoctorWeb\Quarantine\A0028241.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Computer\DoctorWeb\Quarantine\A0028304.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Computer\DoctorWeb\Quarantine\A0029430.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Computer\DoctorWeb\Quarantine\Av-test.txt Infected: EICAR-Test-File skipped
C:\Documents and Settings\Computer\DoctorWeb\Quarantine\fccbARKE.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Computer\DoctorWeb\Quarantine\htwtxxnw.dll_old.vir Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Computer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Computer\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Trish\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Trish\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\InstallShield Installation Information\{B360A8E5-C171-4AAE-9777-65B3CDB0072C}\setup.ilg Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B2068891-7D93-45BB-ADD9-A1C235DBB202}\RP25\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bdss.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\tmp000000c8\tmp00000000 Object is locked skipped
C:\WINDOWS\TempFile Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



HiJackThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:36, on 2008-04-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\NetFx20SP1_x86.exe
c:\b3b14499c46c540dc3d6a887\setup.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe
c:\WINDOWS\system32\MsiExec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F50C8E0-D3A0-40C0-9F5A-679782F0C22E} - C:\WINDOWS\system32\urqQkjIb.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E5B5AE7A-C924-480C-B654-2CDBDC3766D7} - C:\WINDOWS\system32\rqRIxxYP.dll (file missing)
O2 - BHO: (no name) - {EC62E4A6-8475-4EBF-B40B-626CE4034800} - C:\WINDOWS\system32\khfEVmjh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM7f3a99d1] Rundll32.exe "C:\WINDOWS\system32\dqsthepx.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1060284298-861567501-1801674531-1014\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User '?')
O4 - HKUS\S-1-5-21-1060284298-861567501-1801674531-1014\..\Run: [7c09aa4d] rundll32.exe "C:\WINDOWS\system32\goxrlnhg.dll",b (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196583868056
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7345 bytes
  • 0

#21
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {2F50C8E0-D3A0-40C0-9F5A-679782F0C22E} - C:\WINDOWS\system32\urqQkjIb.dll (file missing)
O2 - BHO: (no name) - {E5B5AE7A-C924-480C-B654-2CDBDC3766D7} - C:\WINDOWS\system32\rqRIxxYP.dll (file missing)
O2 - BHO: (no name) - {EC62E4A6-8475-4EBF-B40B-626CE4034800} - C:\WINDOWS\system32\khfEVmjh.dll (file missing)
O4 - HKLM\..\Run: [BM7f3a99d1] Rundll32.exe "C:\WINDOWS\system32\dqsthepx.dll",s
O4 - HKUS\S-1-5-21-1060284298-861567501-1801674531-1014\..\Run: [7c09aa4d] rundll32.exe "C:\WINDOWS\system32\goxrlnhg.dll",b (User '?')


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log and tell me how your PC is running
  • 0

#22
preller

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi again,

The latest HiJackThis log follows - the computer seems back to normal - if not faster than it's been for some time!



HJT log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:09, on 2008-04-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F50C8E0-D3A0-40C0-9F5A-679782F0C22E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E5B5AE7A-C924-480C-B654-2CDBDC3766D7} - (no file)
O2 - BHO: (no name) - {EC62E4A6-8475-4EBF-B40B-626CE4034800} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196583868056
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6807 bytes
  • 0

#23
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Just one thing left

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {2F50C8E0-D3A0-40C0-9F5A-679782F0C22E} - (no file)
O2 - BHO: (no name) - {E5B5AE7A-C924-480C-B654-2CDBDC3766D7} - (no file)
O2 - BHO: (no name) - {EC62E4A6-8475-4EBF-B40B-626CE4034800} - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log
  • 0

#24
preller

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Whew!!

Here goes.........

Hijack this log follows:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59, on 2008-04-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196583868056
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7275 bytes
  • 0

#25
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looking good

How is your PC running ? Any problems
  • 0

Advertisements


#26
preller

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi there Rorschach,

Thanks to you, no further problems. Seeing that you're based in Dublin, could I say that you're a feckin' genius!!!

Top o' the mornin' to ya. (and humble thanks).
  • 0

#27
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Haha thanks

One final thing

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#28
preller

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks once again. I have pre-empted your reply by installing (on both machines) the latest version of Bitdefender, changing browsers on both machines to Firefox and autoupdating Windows and Windows defender. Your advice has been invaluable and has taught me a [bleep] of a lot more than I knew about "invasions".
  • 0

#29
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP