Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Yes, another one with Win32/Virtumonde [CLOSED]

Started by KoolAidGuy , Jul 01 2008 04:58 PM

  • This topic is locked This topic is locked

#16
emeraldnzl
Posted 11 July 2008 - 05:23 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello again KoolAidGuy,

Not quite fixed yet. DSS has found a worm infection of the Win32/Rbot family that we need to deal with. :)

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\conf32.exe
purity
EmptyTemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next

Run Deckards System Scanner again.

This time there will only be one log.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open Notepad .txt please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents in your next reply.
Important note: Please post the contents of the DSS log in the thread. This makes it much easier to analyse. Do not attach as you have in the past.
  • 0

Advertisements

#17
Rorschach112
Posted 14 July 2008 - 05:01 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#18
Rorschach112
Posted 15 July 2008 - 08:36 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post the logs
  • 0

#19
KoolAidGuy
Posted 15 July 2008 - 08:41 AM

KoolAidGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Emerald!

I was away for a few days, and thought I had internet access there to inform you. Excuse me for not letting you know :) .
Here are the logs as requested.

DSS Log:

Deckard's System Scanner v20071014.68
Run by Sjef on 2008-07-11 13:49:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Sjef.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:35 PM, on 7/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sjef\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sjef.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1209812350046
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://62.100.53.122...sCamControl.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7254 bytes

-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-07-11 10:38:22 0 d-------- C:\Program Files\WinPcap
2008-07-11 10:37:11 0 d-------- C:\Program Files\WMR11
2008-07-08 14:35:27 0 d-------- C:\Documents and Settings\Sjef\Application Data\TuneUp Software
2008-07-08 14:35:16 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-07-08 14:35:08 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-07-08 14:34:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-06 12:29:34 0 d-------- C:\Documents and Settings\Sjef\Application Data\Malwarebytes
2008-07-06 12:29:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-06 12:29:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 00:19:48 261936 -r-hs---- C:\cmldr
2008-07-03 00:19:48 4952 -ra------ C:\Bootfont.bin
2008-07-03 00:19:30 0 dr-hs---- C:\cmdcons
2008-07-03 00:19:28 0 d-------- C:\WINDOWS\setup.pss
2008-07-03 00:19:11 0 d-------- C:\WINDOWS\setupupd
2008-07-02 00:44:21 0 d-------- C:\Program Files\Trend Micro
2008-06-30 16:38:32 0 dr-h----- C:\Documents and Settings\Sjef\Recent
2008-06-30 16:36:32 0 d-------- C:\Program Files\CCleaner
2008-06-30 00:49:49 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-28 20:36:58 0 d-------- C:\WINDOWS\pss
2008-06-27 19:35:03 0 d-------- C:\Documents and Settings\Sjef\Application Data\Lavasoft
2008-06-27 19:09:50 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 19:07:41 0 d-------- C:\Program Files\Spyware Doctor
2008-06-27 19:07:41 0 d-------- C:\Documents and Settings\Sjef\Application Data\PC Tools
2008-06-27 19:07:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-27 19:05:22 164 --a------ C:\install.dat
2008-06-27 19:03:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-27 19:02:34 0 d-------- C:\Program Files\Lavasoft
2008-06-27 19:00:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-06-27 18:59:49 0 d-------- C:\Temp
2008-06-27 18:44:40 0 d-------- C:\WINDOWS\system32\GroupPolicy
2008-06-27 18:44:16 0 d-------- C:\Program Files\Hitman Pro
2008-06-27 14:50:10 243744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-27 14:47:30 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-27 14:47:24 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-27 14:47:16 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-06-27 14:46:54 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-06-27 14:46:10 0 d-------- C:\WINDOWS\Internet Logs
2008-06-20 16:56:03 0 d-------- C:\Program Files\G-Mailto
2008-06-17 23:14:41 0 d-------- C:\Documents and Settings\Sjef\Downloads
2008-06-17 23:14:38 0 d-------- C:\Documents and Settings\Sjef\Application Data\NewsLeecher
2008-06-17 23:11:57 0 d-------- C:\Program Files\NewsLeecher
2008-06-17 00:44:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-17 00:44:21 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-06-17 00:44:21 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-17 00:44:08 0 d-------- C:\Program Files\Common Files\AOL
2008-06-17 00:42:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-17 00:41:35 0 d-------- C:\Program Files\Yahoo!
2008-06-15 16:51:16 0 d-------- C:\Program Files\WinAVI MP4 Converter


-- Find3M Report ---------------------------------------------------------------

2008-07-11 10:34:33 0 d-------- C:\Program Files\FlashGet
2008-07-10 17:46:33 0 d-------- C:\Documents and Settings\Sjef\Application Data\LimeWire
2008-07-08 14:34:44 0 d-------- C:\Program Files\Common Files
2008-06-30 00:57:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-30 00:56:58 0 d-------- C:\Documents and Settings\Sjef\Application Data\Samsung
2008-06-30 00:54:27 0 d-------- C:\Program Files\Orb Networks
2008-06-27 19:06:23 0 d-------- C:\Program Files\Webroot
2008-06-27 19:05:11 0 d-------- C:\Documents and Settings\Sjef\Application Data\Webroot
2008-06-17 23:45:58 0 d-------- C:\Documents and Settings\Sjef\Application Data\Mozilla
2008-06-13 19:38:20 0 d-------- C:\Documents and Settings\Sjef\Application Data\Real
2008-06-08 12:23:49 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-05 00:25:23 0 d-------- C:\Documents and Settings\Sjef\Application Data\Nokia Multimedia Player
2008-06-02 21:13:52 0 d-------- C:\Program Files\Gabest
2008-06-02 16:20:05 0 d-------- C:\Documents and Settings\Sjef\Application Data\Nokia
2008-06-02 15:49:24 0 d-------- C:\Program Files\Nokia
2008-06-02 15:49:07 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-25 19:08:53 0 d-------- C:\Documents and Settings\Sjef\Application Data\PC Suite
2008-05-25 19:03:37 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-25 19:03:29 0 d-------- C:\Program Files\DIFX
2008-05-25 19:03:25 0 d-------- C:\Program Files\PC Connectivity Solution
2008-05-25 18:59:35 0 d-------- C:\Program Files\HooTech
2008-05-24 18:20:34 0 d-------- C:\Documents and Settings\Sjef\Application Data\VanDale
2008-05-21 23:56:38 0 d-------- C:\Documents and Settings\Sjef\Application Data\uTorrent
2008-05-21 15:10:39 0 d-------- C:\Program Files\uTorrent
2008-05-15 15:20:08 0 d-------- C:\Program Files\Samsung
2008-05-12 13:01:13 0 d-------- C:\Program Files\Microsoft Encarta
2008-05-11 15:36:21 0 d-------- C:\Program Files\Extension Changer
2008-05-03 13:33:29 668 --a------ C:\Documents and Settings\Sjef\Application Data\vso_ts_preview.xml
2008-05-03 13:32:43 34 --a------ C:\Documents and Settings\Sjef\Application Data\pcouffin.log
2008-05-03 13:32:38 47360 --a------ C:\Documents and Settings\Sjef\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-03 13:32:38 1144 --a------ C:\Documents and Settings\Sjef\Application Data\pcouffin.inf
2008-05-03 13:32:38 7887 --a------ C:\Documents and Settings\Sjef\Application Data\pcouffin.cat
2008-05-03 03:13:24 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-03 01:01:43 62 --ahs---- C:\Documents and Settings\Sjef\Application Data\desktop.ini
2008-05-02 23:22:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-02 23:22:44 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-02 23:22:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-02 23:08:49 0 -rahs---- C:\MSDOS.SYS
2008-05-02 23:08:49 0 -rahs---- C:\IO.SYS
2008-05-02 23:08:49 0 --a------ C:\CONFIG.SYS
2008-05-02 23:08:49 0 --a------ C:\AUTOEXEC.BAT
2008-05-02 23:06:15 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-23 07:26:30 10760 --a------ C:\WINDOWS\inst.reg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [03/13/2008 04:48 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [12/03/2007 02:21 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [02/22/2008 05:58 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemBoot]
"C:\WINDOWS\conf32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-11 13:51:46 ------------


And finally the OTMoveIt log!
Explorer killed successfully
File/Folder C:\WINDOWS\conf32.exe not found.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Sjef\LOCALS~1\Temp\Perflib_Perfdata_4f8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT009c6.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT065cc.TMP scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07142008_134225

Files moved on Reboot...
File C:\DOCUME~1\Sjef\LOCALS~1\Temp\Perflib_Perfdata_4f8.dat not found!
File C:\WINDOWS\temp\ZLT009c6.TMP not found!
File C:\WINDOWS\temp\ZLT065cc.TMP not found!

Edited by KoolAidGuy, 15 July 2008 - 08:44 AM.

  • 0

#20
emeraldnzl
Posted 15 July 2008 - 02:56 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello KoolAidGuy,

Welcome back.

Your logs look clean except for that Win32/Rbot Worm infection we need to get rid of.

OTMoveIt2 couldn't find it so we will try another approach.

Before we proceed we need to backup your Registry. Making changes to your computers registry is a dangerous proceedure and backup will allow us to recover information if necessary.

Download and install ERUNT (Emergency Recovery Utility NT) from here lars Hederer or here Snapfiles.com.

Click on ERUNT and follow the prompts to backup your registry to a location of your choosing.

Once you have backed up your registry.

Open notepad and copy/paste the text in the code below into it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"SystemBoot"=-

Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
* Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
* Double click on the file created and click Yes when asked to merge the information into the Registry

The above Registry file was written specifically for this infection on this person's computer. It should NOT to be used on another computer as it may cause serious damage causing the computer to become unusable.

Next

I assume you still have MBAM on your computer.

  • Make sure you update before you run.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Lastly

Run Deckards System Scanner again.

This time there will only be one log.

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, dss will open Notepad .txt please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents in your next reply.

When you come back please post
  • MBAM report
  • DSS report


Note: Please don't use italics. I know it has a wow factor but we need to keep things standard to help the analysis process.
 :)
  • 0

#21
KoolAidGuy
Posted 16 July 2008 - 02:13 AM

KoolAidGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hey emerald!

Here are the new, all fresh logs! (not in italics :) )

DSS Log:

Deckard's System Scanner v20071014.68
Run by Sjef on 2008-07-16 10:09:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Sjef.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:22 AM, on 7/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sjef\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sjef.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1209812350046
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://62.100.53.122...sCamControl.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7412 bytes

-- Files created between 2008-06-16 and 2008-07-16 -----------------------------

2008-07-14 12:12:14 303616 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-07-11 10:38:22 0 d-------- C:\Program Files\WinPcap
2008-07-11 10:37:11 0 d-------- C:\Program Files\WMR11
2008-07-08 14:35:27 0 d-------- C:\Documents and Settings\Sjef\Application Data\TuneUp Software
2008-07-08 14:35:16 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-07-08 14:35:08 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-07-08 14:34:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-06 12:29:34 0 d-------- C:\Documents and Settings\Sjef\Application Data\Malwarebytes
2008-07-06 12:29:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-06 12:29:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 00:19:48 261936 -r-hs---- C:\cmldr
2008-07-03 00:19:48 4952 -ra------ C:\Bootfont.bin
2008-07-03 00:19:30 0 dr-hs---- C:\cmdcons
2008-07-03 00:19:28 0 d-------- C:\WINDOWS\setup.pss
2008-07-03 00:19:11 0 d-------- C:\WINDOWS\setupupd
2008-07-02 00:44:21 0 d-------- C:\Program Files\Trend Micro
2008-06-30 16:38:32 0 dr-h----- C:\Documents and Settings\Sjef\Recent
2008-06-30 16:36:32 0 d-------- C:\Program Files\CCleaner
2008-06-30 00:49:49 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-28 20:36:58 0 d-------- C:\WINDOWS\pss
2008-06-27 19:35:03 0 d-------- C:\Documents and Settings\Sjef\Application Data\Lavasoft
2008-06-27 19:09:50 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 19:07:41 0 d-------- C:\Program Files\Spyware Doctor
2008-06-27 19:07:41 0 d-------- C:\Documents and Settings\Sjef\Application Data\PC Tools
2008-06-27 19:07:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-27 19:05:22 164 --a------ C:\install.dat
2008-06-27 19:03:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-27 19:02:34 0 d-------- C:\Program Files\Lavasoft
2008-06-27 19:00:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-06-27 18:59:49 0 d-------- C:\Temp
2008-06-27 18:44:40 0 d-------- C:\WINDOWS\system32\GroupPolicy
2008-06-27 18:44:16 0 d-------- C:\Program Files\Hitman Pro
2008-06-27 14:50:10 1533984 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-27 14:47:30 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-27 14:47:24 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-27 14:47:16 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-06-27 14:46:54 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-06-27 14:46:10 0 d-------- C:\WINDOWS\Internet Logs
2008-06-20 16:56:03 0 d-------- C:\Program Files\G-Mailto
2008-06-17 23:14:41 0 d-------- C:\Documents and Settings\Sjef\Downloads
2008-06-17 23:14:38 0 d-------- C:\Documents and Settings\Sjef\Application Data\NewsLeecher
2008-06-17 23:11:57 0 d-------- C:\Program Files\NewsLeecher
2008-06-17 00:44:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-17 00:44:21 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-06-17 00:44:21 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-17 00:44:08 0 d-------- C:\Program Files\Common Files\AOL
2008-06-17 00:42:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-17 00:41:35 0 d-------- C:\Program Files\Yahoo!


-- Find3M Report ---------------------------------------------------------------

2008-07-15 10:55:13 0 d-------- C:\Documents and Settings\Sjef\Application Data\LimeWire
2008-07-14 17:06:45 0 d-------- C:\Program Files\FlashGet
2008-07-14 12:12:21 0 d-------- C:\Program Files\Rockstar Games
2008-07-14 12:12:06 0 d-------- C:\Documents and Settings\Sjef\Application Data\Vso
2008-07-14 12:12:01 668 --a------ C:\Documents and Settings\Sjef\Application Data\vso_ts_preview.xml
2008-07-08 14:34:44 0 d-------- C:\Program Files\Common Files
2008-06-30 00:57:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-30 00:56:58 0 d-------- C:\Documents and Settings\Sjef\Application Data\Samsung
2008-06-30 00:54:27 0 d-------- C:\Program Files\Orb Networks
2008-06-27 19:06:23 0 d-------- C:\Program Files\Webroot
2008-06-27 19:05:11 0 d-------- C:\Documents and Settings\Sjef\Application Data\Webroot
2008-06-17 23:45:58 0 d-------- C:\Documents and Settings\Sjef\Application Data\Mozilla
2008-06-15 16:51:17 0 d-------- C:\Program Files\WinAVI MP4 Converter
2008-06-13 19:38:20 0 d-------- C:\Documents and Settings\Sjef\Application Data\Real
2008-06-08 12:23:49 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-05 00:25:23 0 d-------- C:\Documents and Settings\Sjef\Application Data\Nokia Multimedia Player
2008-06-02 21:13:52 0 d-------- C:\Program Files\Gabest
2008-06-02 16:20:05 0 d-------- C:\Documents and Settings\Sjef\Application Data\Nokia
2008-06-02 15:49:24 0 d-------- C:\Program Files\Nokia
2008-06-02 15:49:07 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-25 19:08:53 0 d-------- C:\Documents and Settings\Sjef\Application Data\PC Suite
2008-05-25 19:03:37 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-25 19:03:29 0 d-------- C:\Program Files\DIFX
2008-05-25 19:03:25 0 d-------- C:\Program Files\PC Connectivity Solution
2008-05-25 18:59:35 0 d-------- C:\Program Files\HooTech
2008-05-24 18:20:34 0 d-------- C:\Documents and Settings\Sjef\Application Data\VanDale
2008-05-21 23:56:38 0 d-------- C:\Documents and Settings\Sjef\Application Data\uTorrent
2008-05-21 15:10:39 0 d-------- C:\Program Files\uTorrent
2008-05-03 13:32:43 34 --a------ C:\Documents and Settings\Sjef\Application Data\pcouffin.log
2008-05-03 13:32:38 47360 --a------ C:\Documents and Settings\Sjef\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-03 13:32:38 1144 --a------ C:\Documents and Settings\Sjef\Application Data\pcouffin.inf
2008-05-03 13:32:38 7887 --a------ C:\Documents and Settings\Sjef\Application Data\pcouffin.cat
2008-05-03 03:13:24 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-03 01:01:43 62 --ahs---- C:\Documents and Settings\Sjef\Application Data\desktop.ini
2008-05-02 23:22:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-02 23:22:44 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-02 23:22:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-02 23:08:49 0 -rahs---- C:\MSDOS.SYS
2008-05-02 23:08:49 0 -rahs---- C:\IO.SYS
2008-05-02 23:08:49 0 --a------ C:\CONFIG.SYS
2008-05-02 23:08:49 0 --a------ C:\AUTOEXEC.BAT
2008-05-02 23:06:15 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-23 07:26:30 10760 --a------ C:\WINDOWS\inst.reg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [03/13/2008 04:48 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [12/03/2007 02:21 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [02/22/2008 05:58 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemBoot]
"C:\WINDOWS\conf32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-16 10:10:08 ------------







MBAM Log:

Malwarebytes' Anti-Malware 1.20
Database version: 957
Windows 5.1.2600 Service Pack 3

10:04:12 AM 7/16/2008
mbam-log-7-16-2008 (10-04-11).txt

Scan type: Quick Scan
Objects scanned: 41441
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#22
emeraldnzl
Posted 17 July 2008 - 04:40 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello KoolAidGuy,

That Registry Key sure is persistent.

Lets try using OTMoveIt2 in a different way.

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemBoot
purity
EmptyTemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next

You know the score by now. Rerun DSS. :)

When you come back please post

* OTMoveIt2 report
* DSS log
* and this time tell me how your computer is running now
  • 0

#23
KoolAidGuy
Posted 17 July 2008 - 05:14 PM

KoolAidGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hey emerald!

Once again thanks for the effort.
I will do this as soon as I get back from my holiday :) . I'm leaving in a few hours, and as I'm at a friends' house right now I won't be able to do it right now..

I'll be back at 30/7.
Is this okay with you?
Also a note to the mods: Please don't close the topic;). As soon as I'll get back I'll let you guys know :).
  • 0

#24
emeraldnzl
Posted 17 July 2008 - 05:43 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Have a good trip.

Look forward to hearing from you when you get back.

Regards
emeraldnzl
  • 0

#25
Rorschach112
Posted 21 July 2008 - 06:14 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP