Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan and adaware popups. [RESOLVED]

Started by CD8 , Jul 24 2008 04:32 AM

  • This topic is locked This topic is locked

#1
CD8
Posted 24 July 2008 - 04:32 AM

CD8

    New Member

  • Member
  • Pip
  • 7 posts
There seems to be some sort of trojan or malware on my computer. Have used most spyware removal programs but there still popups etc. I have downloaded malwarebytes and it founded 18 infected objects, which I removed all. Do I need to install Service pack 2?
Here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:15 PM, on 24/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6AB3A53B-FB1D-413E-9CFF-5B9DCF64EED4} - C:\WINDOWS\system32\iifgEWMc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Min stor proj. - {FFFFFFFF-D71D-41e4-A699-F506DBD097F0} - msindc.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://211.28.67.144...hecker_8000.cab
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://211.28.67.144...adFile_8110.cab
O20 - Winlogon Notify: iqdoiswq - iqdoiswq.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5155 bytes

Thanks
  • 0

Advertisements

#2
Stamper19
Posted 24 July 2008 - 06:48 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi CD8,

Welcome to Geeks to Go!

My name is Stamper19 and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point. :)

----------------------------------------------------------------

Please download Deckard's System Scanner (DSS) to your Desktop.

  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.

----------------------------------------------------------------

Information to include in your next post:
  • main.txt and extra.txt from DSS

  • 0

#3
CD8
Posted 24 July 2008 - 07:29 AM

CD8

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
EXTRA.TXT

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 1023.48 MiB / 591.43 MiB
Pagefile Memory (total/avail): 2462 MiB / 1887.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.35 MiB

C: is Fixed (NTFS) - 48.82 GiB total, 2.71 GiB free.
D: is Fixed (NTFS) - 62.96 GiB total, 0.52 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST312002 6AS SCSI Disk Device - 111.79 GiB - 2 partitions
\PARTITION0 - Extended w/Extended Int 13 - 48.82 GiB - C:
\PARTITION1 (bootable) - Installable File System - 62.96 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.526 v7.5.526 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Disabled:DNA"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Disabled:QuickTime Player"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Disabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Disabled:avgcc.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Tony\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TONY-BCDE431F26
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Tony
LOGONSERVER=\\TONY-BCDE431F26
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\Tony\Application Data\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Tony\LOCALS~1\Temp
TMP=C:\DOCUME~1\Tony\LOCALS~1\Temp
USERDOMAIN=TONY-BCDE431F26
USERNAME=Tony
USERPROFILE=C:\Documents and Settings\Tony
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Tony (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BA Installer --> MsiExec.exe /I{EDA0FFC5-7964-4E2F-9014-693F04695933}
BitTorrent --> C:\Program Files\BitTorrent\uninst.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
e-tax 2008 --> C:\etax2008\e-tax 2008_uninstall.exe
Haali Media Splitter --> "C:\Program Files\Matroska Pack\haali\uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Matroska Pack --> C:\Program Files\Matroska Pack\uninstall.exe
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{20110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
ninemsn Internet Software --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
NVIDIA nForce Utilities --> C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_SSUtilsNT 132 C:\WINDOWS\INF\nvautlml.inf
NVIDIA Windows 2000/XP nForce Drivers --> rundll32.exe C:\WINDOWS\system32\NVNFINST.DLL,NvUninstallCrush
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
VideoLAN VLC media player 0.8.6e --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type5163 / Success
Event Submitted/Written: 07/24/2008 08:25:30 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5157 / Error
Event Submitted/Written: 07/24/2008 08:20:06 PM
Event ID/Source: 0 / pctsSvc.exe
Event Description:
The service process could not connect to the service controller

Event Record #/Type5154 / Success
Event Submitted/Written: 07/24/2008 05:23:14 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5132 / Success
Event Submitted/Written: 07/23/2008 01:49:54 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5106 / Error
Event Submitted/Written: 07/22/2008 02:56:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9753 / Warning
Event Submitted/Written: 07/23/2008 09:30:16 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type9723 / Error
Event Submitted/Written: 07/22/2008 08:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At21.job command failed to start due to the following error:
%%2147942402

Event Record #/Type9722 / Warning
Event Submitted/Written: 07/22/2008 07:44:56 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type9721 / Error
Event Submitted/Written: 07/22/2008 07:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At20.job command failed to start due to the following error:
%%2147942402

Event Record #/Type9720 / Error
Event Submitted/Written: 07/22/2008 06:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At19.job command failed to start due to the following error:
%%2147942402



-- End of Deckard's System Scanner: finished at 2008-07-24 23:29:15 ------------

MAIN.TXT

Deckard's System Scanner v20071014.68
Run by Tony on 2008-07-24 23:27:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
72: 2008-07-24 13:27:40 UTC - RP126 - Deckard's System Scanner Restore Point
71: 2008-07-23 05:41:51 UTC - RP125 - System Checkpoint
70: 2008-07-22 04:39:03 UTC - RP124 - System Checkpoint
69: 2008-07-21 04:09:25 UTC - RP123 - System Checkpoint
68: 2008-07-20 03:59:20 UTC - RP122 - System Checkpoint


-- First Restore Point --
1: 2008-04-25 08:47:53 UTC - RP55 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.71 GiB (less than 15%) free.


-- HijackThis (run as Tony.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:43 PM, on 24/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\1rpM33tt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tony\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Tony.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6AB3A53B-FB1D-413E-9CFF-5B9DCF64EED4} - C:\WINDOWS\system32\iifgEWMc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Min stor proj. - {FFFFFFFF-D71D-41e4-A699-F506DBD097F0} - msindc.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://211.28.67.144...hecker_8000.cab
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://211.28.67.144...adFile_8110.cab
O20 - Winlogon Notify: iqdoiswq - iqdoiswq.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5097 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_01\4&3B1D9AB8&0&5840
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_01\4&3B1D9AB8&0&5840
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_10B7&DEV_9201&SUBSYS_80AB1043&REV_40\4&35344E25&0&0860
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_10B7&DEV_9201&SUBSYS_80AB1043&REV_40\4&35344E25&0&0860
Service:

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\4&33BC18FA&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\4&33BC18FA&0&0
Service: flpydisk


-- Scheduled Tasks -------------------------------------------------------------

2008-07-24 23:00:10 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-07-24 23:00:01 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-07-24 22:00:10 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-07-24 22:00:02 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-07-24 21:00:01 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-07-24 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-07-24 20:23:34 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-07-24 20:00:01 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-07-24 19:50:53 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-07-24 19:00:10 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-07-24 19:00:01 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-07-24 18:00:01 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-07-24 17:22:30 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-07-24 02:00:10 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-07-24 02:00:02 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-07-24 01:00:10 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-07-24 01:00:01 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-07-24 00:26:01 350 --a------ C:\WINDOWS\Tasks\At25.job
2008-07-23 17:00:10 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-07-23 17:00:01 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-07-23 16:00:10 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-07-23 16:00:01 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-07-23 15:00:10 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-07-23 15:00:01 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-07-23 14:00:01 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-07-19 13:00:01 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-07-19 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-07-19 12:00:01 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-07-19 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-07-19 10:00:01 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-07-19 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-07-13 03:00:01 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-07-13 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-07-08 04:00:01 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-07-08 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-07-04 05:00:01 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-07-04 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-07-03 11:00:01 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-07-03 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-07-03 09:00:02 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-07-03 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-07-03 08:00:01 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-07-03 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-07-03 07:00:01 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-07-03 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-07-03 06:00:01 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-07-03 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job


-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-24 20:27:07 0 d-------- C:\Program Files\Trend Micro
2008-07-24 20:05:02 0 d-------- C:\Documents and Settings\Tony\Application Data\Malwarebytes
2008-07-24 20:04:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 20:04:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 20:04:40 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-22 20:11:41 35842 --a------ C:\WINDOWS\system32\1rpM33tt.exe
2008-07-17 21:32:25 0 d-------- C:\etax2008
2008-07-14 18:23:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-14 18:23:08 0 d-------- C:\Documents and Settings\Tony\Application Data\Mozilla
2008-07-13 18:13:15 0 d-------- C:\Program Files\QuickTime
2008-07-12 15:10:40 32256 --a------ C:\WINDOWS\system32\qf6rxF6J.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-07-06 03:00:42 0 d-------- C:\Program Files\MSXML 4.0
2008-07-06 02:21:51 0 d-------- C:\Documents and Settings\Tony\Application Data\Help
2008-07-05 21:07:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-05 20:28:48 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-05 20:28:46 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-05 20:24:07 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-03 14:00:21 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-07-03 14:00:21 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-03 14:00:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites <FAVORI~1>
2008-07-02 19:47:56 29760 --a------ C:\WINDOWS\system32\X73w7ADE.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-24 20:04:40 0 d-------- C:\Program Files\Common Files
2008-07-24 17:22:59 0 d-------- C:\Documents and Settings\Tony\Application Data\AVG7
2008-07-21 21:36:46 0 d-------- C:\Documents and Settings\Tony\Application Data\LimeWire
2008-07-20 22:54:14 0 d-------- C:\Documents and Settings\Tony\Application Data\BitTorrent
2008-07-18 17:15:57 0 d-------- C:\Program Files\Bonjour
2008-07-06 03:06:42 0 d-------- C:\Program Files\Messenger
2008-06-03 01:32:44 0 d-------- C:\Program Files\BitTorrent
2008-06-03 01:05:31 0 d-------- C:\Program Files\Matroska Pack
2008-06-03 00:54:31 0 d-------- C:\Documents and Settings\Tony\Application Data\Media Player Classic
2008-06-03 00:36:58 0 d-------- C:\Program Files\Movkit
2008-06-01 21:01:31 0 d-------- C:\Program Files\Java
2008-05-30 14:59:02 0 d-------- C:\Documents and Settings\Tony\Application Data\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AB3A53B-FB1D-413E-9CFF-5B9DCF64EED4}]
C:\WINDOWS\system32\iifgEWMc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-D71D-41e4-A699-F506DBD097F0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 08:32 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 08:32 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 08:32 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 09:16 PM]
"nForce Tray Options"="sstray.exe" [13/11/2002 02:34 PM C:\WINDOWS\system32\sstray.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [26/03/2008 11:39 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 01:10 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [28/06/2008 02:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 11:13 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 10:56 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 11:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdoiswq]
iqdoiswq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifgEWMc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc1053fa-f585-11dc-a210-000c6ec35b1b}]
Auto\command- G:\qeyxuht.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL qeyxuht.exe




-- End of Deckard's System Scanner: finished at 2008-07-24 23:29:15 ------------
  • 0

#4
Stamper19
Posted 24 July 2008 - 08:21 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi CD8,

Before we get down to business, please take note that one of the infections on your machine is designed to steal information, such as passwords. Hence, you should refrain from using this machine to do anything that involves sensitive information, such as banking or bill pay, until we get everything cleaned up. Additionally, I strongly advise that you change any passwords or such that you may have previously used from this computer, as they might be compromised.

Next, I see that you are running, or have previously installed, BitTorrent and LimeWire. Although these applications are not malware themselves, the files downloaded with them are often a major source of infection. Hence, I strongly advise that they be removed. If you choose to do so, go to the Add/Remove Programs option in the Control Panel, and Uninstall BitTorrent and LimeWire.

----------------------------------------------------------------

We need to fix some file associations

Please go to Start > Run. In the box that appears, carefully copy and paste the following:

"%Userprofile%\Desktop\dss.exe" /daft

Accept the disclaimer, and click the "Scan" button. Place a checkmark next to everything that appears and press "Fix". Afterwards, close the window.

----------------------------------------------------------------

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

----------------------------------------------------------------

Information to include in your next post:
  • ComboFix Log

  • 0

#5
CD8
Posted 24 July 2008 - 08:39 AM

CD8

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hey thanks for your help so far.
Does that mean i can't use bittorent to download stuff anymore?

Combo log
ComboFix 08-07-23.5 - Tony 2008-07-25 0:31:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.534 [GMT 10:00]
Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cjhwcnhq.ini
C:\WINDOWS\system32\cMWEgfii.ini
C:\WINDOWS\system32\cMWEgfii.ini2
C:\WINDOWS\system32\duis.txt

.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-24 23:27 . 2008-07-24 23:27 <DIR> d-------- C:\Deckard
2008-07-24 20:27 . 2008-07-24 20:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 20:05 . 2008-07-24 20:05 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\Malwarebytes
2008-07-24 20:05 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 20:04 . 2008-07-24 20:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 20:04 . 2008-07-24 20:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-24 20:04 . 2008-07-24 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 20:04 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 20:11 . 2008-07-24 18:19 35,842 --a------ C:\WINDOWS\system32\1rpM33tt.exe_
2008-07-22 20:11 . 2008-07-24 23:13 35,842 --a------ C:\WINDOWS\system32\1rpM33tt.exe
2008-07-17 21:32 . 2008-07-19 16:48 <DIR> d-------- C:\etax2008
2008-07-14 18:23 . 2008-07-14 18:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-13 18:14 . 2008-07-25 00:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-13 18:14 . 2008-07-13 18:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-13 18:13 . 2008-07-13 18:13 <DIR> d-------- C:\Program Files\QuickTime
2008-07-12 15:10 . 2008-07-12 15:10 32,256 --a------ C:\WINDOWS\system32\qf6rxF6J.dll
2008-07-06 03:00 . 2008-07-06 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-05 20:46 . 2008-06-13 23:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-05 20:46 . 2008-06-13 23:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-05 20:28 . 2008-07-24 17:24 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-05 20:28 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-03 11:12 . 2008-07-03 11:12 0 --a------ C:\WINDOWS\system32\1rpM33tt.exe.a_a
2008-07-02 19:47 . 2008-07-02 19:47 29,760 --a------ C:\WINDOWS\system32\X73w7ADE.exe
2008-07-02 19:47 . 2008-07-02 19:47 0 --a------ C:\WINDOWS\system32\X73w7ADE.exe.a_a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 14:26 --------- d-----w C:\Program Files\BitTorrent
2008-07-24 10:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-24 07:22 --------- d-----w C:\Documents and Settings\Tony\Application Data\AVG7
2008-07-21 11:36 --------- d-----w C:\Documents and Settings\Tony\Application Data\LimeWire
2008-07-20 12:54 --------- d-----w C:\Documents and Settings\Tony\Application Data\BitTorrent
2008-07-18 07:15 --------- d-----w C:\Program Files\Bonjour
2008-06-02 15:05 --------- d-----w C:\Program Files\Matroska Pack
2008-06-02 14:54 --------- d-----w C:\Documents and Settings\Tony\Application Data\Media Player Classic
2008-06-02 14:36 --------- d-----w C:\Program Files\Movkit
2008-06-01 11:01 --------- d-----w C:\Program Files\Java
2008-02-18 04:07 16,825 ----a-w C:\Program Files\Readme.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 20:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 23:39 185896]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 14:51 580096]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"nForce Tray Options"="sstray.exe" [2002-11-13 14:34 73728 C:\WINDOWS\system32\sstray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-07 19:44 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll
"vidc.GEOV"= C:\WINDOWS\system32\GeoCodec.dll
"vidc.GMP4"= C:\WINDOWS\system32\GXAMP4.dll
"vidc.GM40"= C:\WINDOWS\system32\GXAMP4.dll
"msacm.geoadpcm"= C:\WINDOWS\system32\GeoADPCM.acm
"vidc.G264"= C:\WINDOWS\system32\GX264.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-05-20 21:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc1053fa-f585-11dc-a210-000c6ec35b1b}]
\Shell\Auto\command - G:\qeyxuht.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL qeyxuht.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 23:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-19 00:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-03 01:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-19 02:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-19 03:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 07:22:30 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-23 05:00:10 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-23 06:00:10 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-23 07:00:10 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 09:50:53 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-23 15:00:10 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 09:00:10 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 10:23:34 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 14:34:38 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 12:00:10 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 13:00:10 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 14:26:01 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-23 15:00:01 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-23 16:00:02 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-12 17:00:01 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-07 18:00:01 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-23 16:00:10 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-03 19:00:01 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-02 20:00:01 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-02 21:00:01 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-02 22:00:01 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-02 23:00:02 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-19 00:00:01 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-03 01:00:01 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-19 02:00:01 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-19 03:00:01 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-23 04:00:01 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-12 17:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-23 05:00:01 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-23 06:00:01 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-23 07:00:01 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 08:00:01 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 09:00:01 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 10:00:01 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 11:00:01 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 12:00:02 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 13:00:01 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-07 18:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-03 19:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-02 20:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-02 21:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-02 22:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\1rpM33tt.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{6AB3A53B-FB1D-413E-9CFF-5B9DCF64EED4} - C:\WINDOWS\system32\iifgEWMc.dll
Notify-iqdoiswq - iqdoiswq.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.au/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Office Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://211.28.67.144:81/cab/OCXChecker_8000.cab
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker.inf
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker_8000.ocx

O16 -: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://211.28.67.144:81/cab/DownloadFile_8110.cab
C:\WINDOWS\Downloaded Program Files\Download.inf
C:\WINDOWS\Downloaded Program Files\Download_8110.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 00:34:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-25 0:36:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 14:36:38

Pre-Run: 2,842,136,576 bytes free
Post-Run: 3,174,387,712 bytes free

239 --- E O F --- 2008-07-14 12:19:13

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:48 AM, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://211.28.67.144...hecker_8000.cab
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://211.28.67.144...adFile_8110.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5231 bytes
  • 0

#6
Stamper19
Posted 24 July 2008 - 10:37 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi CD8,

Happy to help out :)

As for BitTorrent and LimeWire, it is completely up to you whether you ultimately use them or not. As I have already stated, I am strongly against their use, but the decision lies with you ultimately.

Peer to Peer (P2P) programs enable you to connect with other computers to download files. These are often files such as music, games or movies to name a few. Using P2P programs is quite often the cause of computers becoming infected. It is not necessarily the P2P program that is infected but the file or files that are being downloaded that are. Then there also is the legal aspect of the sharing of certain files (ie. copyright).

Sure, a lot of the files that are downloaded are legitimate, but how do you know if it is or isn't. Just because the filename may indicate what you think that you are downloading, but what happens when the file isn't the song, game or movie you thought it was. I am sure that almost everyone who has used P2P programs has discovered at some point that what they download wasn't really the file that they expected.

Sometimes it's harmless, it just may be a case of the wrong filename. Other times you can get a lot more than what you bargined for. Many of the files that you think are safe when you download them can actually have viruses, trojans or malware of some type attached to or embedded into the file.

----------------------------------------------------------------

Please submit the following files for analysis.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\1rpM33tt.exe
    • C:\WINDOWS\system32\X73w7ADE.exe
  • Click on the submit button
  • Please post the results in your next reply.

Please note that if you are submitting more than one file they will have to be entered one at a time.

----------------------------------------------------------------

Information to include in your next post:
  • Jotti Logs (should be 2 of them)

  • 0

#7
CD8
Posted 24 July 2008 - 10:56 AM

CD8

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
1rpm file:

File: 1rpM33tt.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 394c1d958e83e942c4c21a4ad227e539
Packers detected:
-
Scan taken on 24 Jul 2008 16:50:32 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.ULPM.Gen
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found Generic10.BGUV
BitDefender
Found Trojan.Adclicker.HB
ClamAV
Found nothing
CPsecure
Found Troj.Downloader.W32.Agent.wzg
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Downloader.Win32.Agent.wzg
Fortinet
Found PossibleThreat
Ikarus
Found Trojan-Downloader.Win32.Agent.vvi
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Agent.wzg
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found W32/Agent.GPGQ
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/HckPk-A
VirusBuster
Found nothing
VBA32
Found nothing

File: X73w7ADE.exe
Status:
INFECTED/MALWARE
MD5: a28d9a0da49a99d7fcf52e6209e1c81e
Packers detected:
-
Scan taken on 24 Jul 2008 16:54:55 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.ULPM.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Downloader.Firu.G
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Packed.418
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Downloader:W32/Firu.GS
Fortinet
Found nothing
Ikarus
Found Trojan-Downloader.Firu.C
Kaspersky Anti-Virus
Found nothing
NOD32
Found a variant of Win32/TrojanDownloader.Firu
Norman Virus Control
Found W32/DLoader.HZLI
Panda Antivirus
Found Trj/Downloader.TZS
Sophos Antivirus
Found Mal/HckPk-A
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.Win32.Firu.el

ta
  • 0

#8
Stamper19
Posted 24 July 2008 - 11:24 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi CD8,

Both baddies, as I suspected. Lets nuke'm.

----------------------------------------------------------------

We are going to use ComboFix to delete some things.

  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::
C:\WINDOWS\system32\1rpM33tt.exe_
C:\WINDOWS\system32\1rpM33tt.exe
C:\WINDOWS\system32\qf6rxF6J.dll
C:\WINDOWS\system32\1rpM33tt.exe.a_a
C:\WINDOWS\system32\X73w7ADE.exe
C:\WINDOWS\system32\X73w7ADE.exe.a_a
G:\qeyxuht.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc1053fa-f585-11dc-a210-000c6ec35b1b}]

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

----------------------------------------------------------------

Please clean out your temp files.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----------------------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")
----------------------------------------------------------------

Information to include in your next post:
  • ComboFix Log
  • Kapersky Log

Edited by Stamper19, 24 July 2008 - 11:29 AM.

  • 0

#9
CD8
Posted 25 July 2008 - 05:05 AM

CD8

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
COMBO LOG:

ComboFix 08-07-23.5 - Tony 2008-07-25 10:45:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.608 [GMT 10:00]
Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tony\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\1rpM33tt.exe
C:\WINDOWS\system32\1rpM33tt.exe.a_a
C:\WINDOWS\system32\1rpM33tt.exe_
C:\WINDOWS\system32\qf6rxF6J.dll
C:\WINDOWS\system32\X73w7ADE.exe
C:\WINDOWS\system32\X73w7ADE.exe.a_a
G:\qeyxuht.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\1rpM33tt.exe
C:\WINDOWS\system32\1rpM33tt.exe.a_a
C:\WINDOWS\system32\qf6rxF6J.dll
C:\WINDOWS\system32\X73w7ADE.exe
C:\WINDOWS\system32\X73w7ADE.exe.a_a

.
((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-25 10:44 . 2008-07-25 10:44 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-24 23:27 . 2008-07-24 23:27 <DIR> d-------- C:\Deckard
2008-07-24 20:27 . 2008-07-24 20:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 20:05 . 2008-07-24 20:05 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\Malwarebytes
2008-07-24 20:05 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 20:04 . 2008-07-24 20:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 20:04 . 2008-07-24 20:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-24 20:04 . 2008-07-24 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 20:04 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-17 21:32 . 2008-07-19 16:48 <DIR> d-------- C:\etax2008
2008-07-14 18:23 . 2008-07-14 18:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-13 18:14 . 2008-07-25 10:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-13 18:14 . 2008-07-13 18:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-13 18:13 . 2008-07-13 18:13 <DIR> d-------- C:\Program Files\QuickTime
2008-07-06 03:00 . 2008-07-06 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-05 20:46 . 2008-06-13 23:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-05 20:46 . 2008-06-13 23:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-05 20:28 . 2008-07-24 17:24 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-05 20:28 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 00:42 --------- d-----w C:\Documents and Settings\Tony\Application Data\AVG7
2008-07-24 14:26 --------- d-----w C:\Program Files\BitTorrent
2008-07-24 10:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-21 11:36 --------- d-----w C:\Documents and Settings\Tony\Application Data\LimeWire
2008-07-20 12:54 --------- d-----w C:\Documents and Settings\Tony\Application Data\BitTorrent
2008-07-18 07:15 --------- d-----w C:\Program Files\Bonjour
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\SET7.tmp
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\SET8.tmp
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-02 15:05 --------- d-----w C:\Program Files\Matroska Pack
2008-06-02 14:54 --------- d-----w C:\Documents and Settings\Tony\Application Data\Media Player Classic
2008-06-02 14:36 --------- d-----w C:\Program Files\Movkit
2008-06-01 11:01 --------- d-----w C:\Program Files\Java
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-18 04:07 16,825 ----a-w C:\Program Files\Readme.txt
.

((((((((((((((((((((((((((((( snapshot@2008-07-25_ 0.36.20.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\6to4svc.dll
+ 2008-06-20 10:44:08 138,368 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\dnsapi.dll
+ 2008-06-20 17:36:11 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
+ 2008-06-20 10:44:42 360,960 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
+ 2008-06-20 09:32:39 225,920 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip6.sys
+ 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
+ 2008-06-20 17:46:57 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\dnsapi.dll
+ 2008-06-20 17:46:57 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
+ 2008-06-20 11:51:12 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
+ 2008-06-20 11:08:27 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip6.sys
+ 2008-06-20 11:48:03 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\updspapi.dll
- 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 20:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 23:39 185896]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 14:51 580096]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"nForce Tray Options"="sstray.exe" [2002-11-13 14:34 73728 C:\WINDOWS\system32\sstray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-07 19:44 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll
"vidc.GEOV"= C:\WINDOWS\system32\GeoCodec.dll
"vidc.GMP4"= C:\WINDOWS\system32\GXAMP4.dll
"vidc.GM40"= C:\WINDOWS\system32\GXAMP4.dll
"msacm.geoadpcm"= C:\WINDOWS\system32\GeoADPCM.acm
"vidc.G264"= C:\WINDOWS\system32\GX264.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-05-20 21:38]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 23:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-19 00:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-03 01:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-19 02:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-19 03:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 07:22:30 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-23 05:00:10 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-23 06:00:10 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-23 07:00:10 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 09:50:53 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 15:29:30 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 09:00:10 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 10:23:34 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 14:34:38 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 12:00:10 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 13:00:10 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-24 14:26:01 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 15:00:02 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 16:00:01 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-12 17:00:01 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-07 18:00:01 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 16:21:28 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-03 19:00:01 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-02 20:00:01 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-02 21:00:01 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-02 22:00:01 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-02 23:00:02 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-19 00:00:01 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-03 01:00:01 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-19 02:00:01 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-19 03:00:01 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-23 04:00:01 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-12 17:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-23 05:00:01 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-23 06:00:01 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-23 07:00:01 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 08:00:01 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 09:00:01 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 10:00:01 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 11:00:01 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 12:00:02 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-24 13:00:01 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\X73w7ADE.exe
"2008-07-07 18:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-03 19:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-02 20:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-02 21:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\1rpM33tt.exe
"2008-07-02 22:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\1rpM33tt.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 10:46:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-25 10:47:39
ComboFix-quarantined-files.txt 2008-07-25 00:47:33
ComboFix2.txt 2008-07-24 14:36:42

Pre-Run: 3,148,070,912 bytes free
Post-Run: 3,151,446,016 bytes free

248 --- E O F --- 2008-07-25 00:44:28

KASPERSKY LOG:

File name / Threat name / Threats count
C:\Deckard\System Scanner\20080725002748\backup\DOCUME~1\Tony\LOCALS~1\Temp\DRDld\mbam-setup.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1

I tried doing a full system scan but after 6 hours it was only at 10% and found 1 infected file during that process. I did a critical area scan and that came up with nothing.
  • 0

#10
Stamper19
Posted 25 July 2008 - 06:35 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
We need to see if anything else is hiding out, so since Kapersky didnt work so well we'll try another scan. Do note, however, that these scans can take quite a while to complete.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

#11
CD8
Posted 25 July 2008 - 07:40 AM

CD8

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-25 23:39:25
PROTECTIONS: 1
MALWARE: 12
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG 7.5.526 7.5.526 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Tony\Cookies\tony@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Tony\Cookies\tony@atdmt[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Tony\Cookies\tony@statcounter[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Tony\Cookies\tony@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Tony\Cookies\[email protected][2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Tony\Cookies\tony@overture[1].txt
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP127\A0015790.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP127\A0015781.sys
03093293 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP102\A0012334.exe
03093293 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP116\A0015291.exe
03093293 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP116\A0015292.exe
03093293 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP116\A0015293.exe
03093293 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP116\A0015294.exe
03173558 Trj/BHO.BF Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20080725002748\backup\WINDOWS\temp\NLv5cdi7.exe
03262459 Generic Trojan Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20080725002748\backup\WINDOWS\temp\5jDxbYE0.exe
03363395 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP125\A0015733.exe
03363395 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP124\A0015612.exe
03363395 Generic Malware Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\1rpM33tt.exe.vir
03363395 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP127\A0015820.exe
03363395 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP129\A0015845.exe
03363395 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{02EFBB5B-C0E8-4B6D-88B9-071099E41656}\RP125\A0015648.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location m
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description m
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069 m
182043 HIGH MS07-064 m
176382 HIGH MS07-057 m
170907 HIGH MS07-046 m
170906 HIGH MS07-045 m
170904 HIGH MS07-043 m
164913 HIGH MS07-033 m
160623 HIGH MS07-027 m
150253 HIGH MS07-016 m
141030 HIGH MS06-072 m
137568 HIGH MS06-067 m
129976 MEDIUM MS06-052 m
126083 HIGH MS06-042 m
120814 HIGH MS06-021 m
114664 HIGH MS06-013 m
93394 HIGH MS05-050 m
;===============================================================================
=================================================================================
===================
  • 0

#12
Stamper19
Posted 25 July 2008 - 07:49 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi CD8,

Looking good - all the scan turned up were some cookies and items in system restore. They are harmless, but we will clear them out in the course of wrapping things up.

Congrats - your logs are all clean :)

There are still a couple of things you should do for the sake of cleaning up.

---------------------------------------------------------------

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
----------------------------------------------------------------

Otherwise, unless you have any questions, you are all set. Included below are some tips for keeping your computer malware free in the future.

Cheers,
Stamper :)

----------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

  • 0

#13
CD8
Posted 25 July 2008 - 08:25 AM

CD8

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
thanks for your help :)
  • 0

#14
Stamper19
Posted 25 July 2008 - 09:55 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP