Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Suspected trojan- need help identifying nasties please! [RESOLVED]


  • This topic is locked This topic is locked

#1
emilyb

emilyb

    Member

  • Member
  • PipPip
  • 16 posts
Hello all,
I think I have a virus. My computer suddenly stopped working (won't go online and it's not my connection as i'm using a laptop now, also when i reboot i just get a blank desktop for ages) so I ran an AVG scan in safe mode and it picked up 9 bugs, 2 of which were possible browser hijacks. So I deleted all that but still no joy. So I looked at the task manager and there was nothing suspicious to my untrained eye apart from 8 instances of svchost.exe. So I searched for these in the C drive and found one called svchost.exe - 13D45DD3.pf in the Prefetch folder. Google thinks this is a trojan - so I deleted it in a rash and desperate moment. Nothing much has changed though, so I've run Highjack This and was hoping one of you kind people would be able to help me! Thank you so much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:08:08, on 27/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\system\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\svchost.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet101\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [83CB3A8E] C:\WINDOWS\System32\dbyanyzghffd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [DE994F20] C:\WINDOWS\System32\dbyanyzghffd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet101\BitComet.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Services] lsrv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Services] lsrv.exe (User 'Default user')
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet101\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet101\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet101\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm205
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet101\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP chain gap (#6 in chain of 6 missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.line6.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7523 bytes

Edited by emilyb, 27 July 2008 - 11:17 AM.

  • 0

Advertisements


#2
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello emilyb and welcome at Geekstogo,

I am afraid I have bad news for you :)

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. :)

Thunderbird1988
  • 0

#3
emilyb

emilyb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hey Thunderbird1988

Thanks very much for your help! What a nightmare :) Have changed all passwords etc, thank you. But I would like to clean it if you wouldn't mind helping me out? Got to get to my emails for work.

I can't actually get online on it- it can't renew the IP address (I think that's what it says). Does that mean someone has highjacked it?

Also, I'm casting about for someone to blame :) My boyfriend downloads a lot of bit torrents- do you think this could be it?

Thanks again for all your help with this.

Emily
  • 0

#4
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Emily,

I can't actually get online on it- it can't renew the IP address (I think that's what it says). Does that mean someone has highjacked it?


So far I can see, some part of Windows that is responsible for the internet connection got broken. We will fix it.


My boyfriend downloads a lot of bit torrents- do you think this could be it?


Yes that could be it.

  • Please download LSPFix from here. (If you can't access the internet, please download it from another computer and tranfser it to the infected one using a thumb drive or a CD or DVD.)
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • When you are done click Finish>>.

After that please restart. You should now be able to get back online. If you still can't access the internet, plese let me know. Please post also a new Hijackthislog.

Thunderbird1988
  • 0

#5
emilyb

emilyb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello again,

Well, it gets worse and worse :) Thanks for the programme. Works fine on the laptop but when I ran it on my pc it gave me this message: 'temp' is not an integer value.

So I tried right click and 'run' and it said: Winsock2 Registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters) is missing or could not be accessed.

I've looked in the Registry and Winsock2 is there, but I don't know how to figure out whether it's in good shape or not- though I'm guessing not...

Do you think the virus has attacked that registry key?

I'm obviously going to have to get a new computer but I really need to get into my emails- plus it's becoming a point of honour now :)
  • 0

#6
emilyb

emilyb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hey again-
This is definitely becoming a point of honour :)

Well, I've deleted and reinstalled those registry keys (Winsock and Winsock2) after finding instructions on a Microsoft site. Now everything seems to be working fine. So here is my log - if you could check it for me I'd be very grateful. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:16:09, on 28/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\svchost.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [83CB3A8E] C:\WINDOWS\System32\dbyanyzghffd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [DE994F20] C:\WINDOWS\System32\dbyanyzghffd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet101\BitComet.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Services] lsrv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Services] lsrv.exe (User 'Default user')
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm205
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.line6.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6915 bytes
  • 0

#7
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Edit: posted new instructions, removed the old one.

Hello Emily,

Ok, according to your log, the "internetpart" of Windows got repaired :)

You use a very old version of your antivirus. Please download and install the latest version from here

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Thunderbird1988

Edited by Thunderbird1988, 28 July 2008 - 02:34 PM.

  • 0

#8
emilyb

emilyb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi again-
Oh gosh i hope you didn't spend loads of time writing instructions. Sorry- I get carried away trying to fix things. Does the log look ok to you now? Bearing in mind what you said before about the computer being compromised forever??
  • 0

#9
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
No we aren't done with the cleaning process yet. I have edited my post to give you the new instructions on how to proceed. I had to remove the old one quickly :)

Thunderbird1988

Edited by Thunderbird1988, 28 July 2008 - 02:50 PM.

  • 0

#10
emilyb

emilyb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Good afternoon!

Finally, this morning I succeeded in getting both logs from my computer but, although Windows XP Recovery Console is installed (I know this because I tried twice and the 2nd time it told me i had already installed it), it doesn't flash up as an option when i reboot- not sure how significant this is.

Also, when I boot up the computer it tries to open a file called MWSOEMON.EXE.vir- surely that's not a real virus file extension?! It's not exactly subtle :)

Anyway, here are my logs- they look a bit shorter now! Thank you thank you thank you for all your help :) If you could have another look I'd be really grateful.

Emily


ComboFix 08-07-28.2 - Owner 2008-07-29 7:34:33.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-28 21:53 . 2008-07-28 21:53 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-28 21:46 . 2008-07-28 23:09 <DIR> d-------- C:\SDFix
2008-07-28 19:39 . 2003-01-01 23:34 <DIR> d-a------ C:\Documents and Settings\Administrator\WINDOWS
2008-07-28 19:39 . 2003-01-01 23:23 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\VERITAS
2008-07-28 19:39 . 2003-01-02 05:07 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-28 19:39 . 2003-01-01 23:40 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-28 19:39 . 2008-03-27 09:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-07-28 19:39 . 2003-01-01 23:32 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-07-28 19:39 . 2008-07-28 19:39 <DIR> d-------- C:\Documents and Settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 20:15 --------- d-----w C:\Program Files\BitComet101
2008-07-28 20:15 --------- d-----w C:\Program Files\Azureus
2008-07-27 14:03 --------- d---a-w C:\Program Files\NoAdware
2008-07-11 21:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Games
2008-07-11 20:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 20:48 --------- d---a-w C:\Program Files\Coloreal
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-31 06:11 --------- d-----w C:\Program Files\Java
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-11-29 12:38 47,200 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-12-25 23:36 302,680 -c--a-w C:\Program Files\ac3filter_0_70b.exe
2004-12-25 23:24 7,071,334 -c--a-w C:\Program Files\vlc-0.8.1-win32.exe
2004-12-09 19:24 4,915,119 -c--a-w C:\Program Files\Firefox Setup 1.0.exe
2004-08-31 16:15 1,307 -c--a-w C:\Program Files\launch.asp
2004-08-30 18:53 5,121,631 -c--a-w C:\Program Files\Codecs6018_allin1[www.free-codecs.com].rar
2004-08-30 18:50 2,270,208 -c--a-w C:\Program Files\patch_6.0.1.7_na_6.0.1.8.exe
2004-08-30 09:27 2,295,496 -c--a-w C:\Program Files\bsplayer100.810.exe
2004-08-30 08:58 631,955 -c--a-w C:\Program Files\XviD-1.0.1-05062004.exe
2004-08-30 08:12 8,047,992 -c--a-w C:\Program Files\DivX52XP2K.exe
2004-08-30 07:41 890,523 -c--a-w C:\Program Files\Nostra2.1.exe
2004-08-29 16:18 823,296 -c--a-w C:\Program Files\winmx353.exe
2004-08-08 14:56 104,287,531 -c--a-w C:\Program Files\FlashMX2004-en.zip
2004-07-11 13:53 58,880 -c--a-w C:\Program Files\Antisasser-EN.exe
2003-03-16 01:02 711,168 -c--a-w C:\Program Files\SDHelpegr.dll
2004-07-11 12:18 84,992 -csh--r C:\WINDOWS\system32\lsac.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [BU]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"BitComet"="C:\Program Files\BitComet101\BitComet.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"83CB3A8E"="C:\WINDOWS\System32\dbyanyzghffd.exe" [BU]
"AVG_CC"="C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe" [2004-06-22 06:00 345661]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-12-29 13:19 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"S3TRAY2"="S3tray2.exe" [2003-02-25 04:33 69632 C:\WINDOWS\system32\S3tray2.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"DE994F20"="C:\WINDOWS\System32\dbyanyzghffd.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Services"="lsrv.exe" [BU]
"Microsoft Restore"="scrgrd.exe" [BU]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
MyWebSearch Email Plugin.lnk - C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE.vir [2005-06-05 14:46:08 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= pclepim1.dll
"vidc.iv41"= ir41_32.dll
"VIDC.I263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2002-10-16 14:05 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a--c--- 1998-05-08 00:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a--c--- 2001-07-07 04:56 61440 C:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KYE_Showicon]
--a--c--- 2002-10-25 23:33 69632 C:\Program Files\USB Storage RW\shwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a--c--- 2002-08-01 03:28 81920 C:\WINDOWS\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a--c--- 2002-09-14 05:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-06-18 15:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
C:\Program Files\Coloreal\coloreal.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a--c--- 2002-12-12 10:00 798789 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2002-12-12 10:00 319488 C:\WINDOWS\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\WinMX\\WinMX.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13231:TCP"= 13231:TCP:BitComet 13231 TCP
"13231:UDP"= 13231:UDP:BitComet 13231 UDP
"3074:UDP"= 3074:UDP:xbox UDP 3074
"3074:TCP"= 3074:TCP:xbox TCP 3074
"88:UDP"= 88:UDP:xbox UDP 88
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"23606:TCP"= 23606:TCP:BitComet 23606 TCP
"23606:UDP"= 23606:UDP:BitComet 23606 UDP

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.ebay.co.uk/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Search - http://bar.mywebsear...html?p=ZNxdm205
O18 -: Handler: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\schmapdoclib.dll

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 07:47:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [1072] 0xFF9BBCA8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-07-29 8:00:33
ComboFix-quarantined-files.txt 2008-07-29 07:00:13
ComboFix2.txt 2008-07-28 23:06:09

Pre-Run: 7,332,257,792 bytes free
Post-Run: 7,316,959,232 bytes free

163 --- E O F --- 2008-07-13 05:38:16



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:15, on 2008-07-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\S3tray2.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL (file missing)
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [83CB3A8E] C:\WINDOWS\System32\dbyanyzghffd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [DE994F20] C:\WINDOWS\System32\dbyanyzghffd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet101\BitComet.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Services] lsrv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Services] lsrv.exe (User 'Default user')
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE.vir
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE.vir
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm205
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.line6.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)

--
End of file - 6824 bytes
  • 0

Advertisements


#11
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Emily,

surely that's not a real virus file extension?! It's not exactly subtle


Combofix changed the extension of it, now those files can't run anymore.

I tried twice and the 2nd time it told me i had already installed it


Could you post the log of the first run too?
Please post also the log of SDFix (C:\SDFix\report.txt)

Thunderbird1988
  • 0

#12
emilyb

emilyb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Morning Thunderbird1988,

Thanks for that. The first time I ran SDFix my computer crashed so I don't know which version this log belongs to. I'm sorry! But here it is. I also managed to fix my AVG and ran a scan with that, which I've posted afterwards. It found LOADS of things :) Lastly, I've posted an up to date Highjack This log. Thank you again- you've been so helpful!


SDFix: Version 1.209
Run by Owner on 28/07/2008 at 22:00

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp24.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp25.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp26.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp27.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp28.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp29.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp2A.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp2B.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp2D.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp2E.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpCA.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpCB.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpD1.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpD2.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpD3.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpD4.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpD7.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpD8.tmp - Deleted
C:\WINDOWS\system32\TFTP1304 - Deleted
C:\WINDOWS\system32\TFTP1372 - Deleted
C:\WINDOWS\system32\TFTP144 - Deleted
C:\WINDOWS\system32\TFTP1488 - Deleted
C:\WINDOWS\system32\TFTP1588 - Deleted
C:\WINDOWS\system32\TFTP1684 - Deleted
C:\WINDOWS\system32\TFTP1740 - Deleted
C:\WINDOWS\system32\TFTP1952 - Deleted
C:\WINDOWS\system32\TFTP2100 - Deleted
C:\WINDOWS\system32\TFTP2208 - Deleted
C:\WINDOWS\system32\TFTP2372 - Deleted
C:\WINDOWS\system32\TFTP2412 - Deleted
C:\WINDOWS\system32\TFTP2524 - Deleted
C:\WINDOWS\system32\TFTP2768 - Deleted
C:\WINDOWS\system32\TFTP2796 - Deleted
C:\WINDOWS\system32\TFTP3428 - Deleted
C:\WINDOWS\system32\TFTP3444 - Deleted
C:\WINDOWS\system32\TFTP3816 - Deleted
C:\WINDOWS\system32\TFTP3992 - Deleted
C:\WINDOWS\system32\TFTP4032 - Deleted
C:\WINDOWS\system32\TFTP4044 - Deleted
C:\WINDOWS\system32\TFTP496 - Deleted
C:\WINDOWS\system32\TFTP840 - Deleted
C:\WINDOWS\system32\TFTP932 - Deleted
C:\WINDOWS\system\svchost.exe - Deleted
C:\WINDOWS\system32\bot.exe - Deleted
C:\WINDOWS\system32\WinGuard.exe - Deleted



Folder C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 22:24:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\eDonkey2000\\edonkey2000.exe"="C:\\Program Files\\eDonkey2000\\edonkey2000.exe:*:Enabled:edonkey2000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\iTunes\\alex\\iTunes.exe"="C:\\Program Files\\iTunes\\alex\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temporary Internet Files\\Content.IE5\\SDYFWXUZ\\StarCraft2CinematicTrailer_EnglishUS-avi-downloader[1].exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temporary Internet Files\\Content.IE5\\SDYFWXUZ\\StarCraft2CinematicTrailer_EnglishUS-avi-downloader[1].exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"="C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitComet101\\BitComet.exe"="C:\\Program Files\\BitComet101\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 11 Jul 2004 84,992 ..SHR --- "C:\WINDOWS\system32\lsac.exe"
Sat 7 Jun 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 27 Jan 2007 128,512 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL0038.tmp"
Fri 9 Mar 2007 106,496 A.SHR --- "C:\WINDOWS\system\_sv_CMD_\_U_.exe"
Sun 17 Sep 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 9 Jul 2006 34,816 ...H. --- "C:\Documents and Settings\Owner\My Documents\Em's folder\paypal\~WRL0004.tmp"
Sun 9 Jul 2006 34,816 ...H. --- "C:\Documents and Settings\Owner\My Documents\Em's folder\paypal\~WRL3172.tmp"
Sun 9 Jul 2006 34,816 ...H. --- "C:\Documents and Settings\Owner\My Documents\Em's folder\paypal\~WRL3949.tmp"
Thu 13 Sep 2007 114,176 ...H. --- "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\09CVKN0F\~WRL0416.tmp"
Thu 13 Sep 2007 118,272 ...H. --- "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\09CVKN0F\~WRL0421.tmp"
Thu 13 Sep 2007 108,032 ...H. --- "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\09CVKN0F\~WRL0689.tmp"
Thu 13 Sep 2007 119,296 ...H. --- "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\09CVKN0F\~WRL3787.tmp"
Thu 13 Sep 2007 108,032 ...H. --- "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\09CVKN0F\~WRL3828.tmp"
Thu 13 Sep 2007 113,152 ...H. --- "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\09CVKN0F\~WRL3932.tmp"

Finished!


AVG results


"Scan ""Scan whole computer"" was finished."
"Infections found:";"20"
"Infected objects removed or healed:";"20"
"Not removed or healed:";"0"
"Spyware found:";"8"
"Spyware removed:";"8"
"Not removed:";"0"
"Warnings count:";"74"
"Information count:";"0"
"Scan started:";"29 July 2008, 21:03:37"
"Scan finished:";"29 July 2008, 23:15:20 (2 hour(s) 11 minute(s) 43 second(s))"
"Total object scanned:";"635874"
"User who launched the scan:";"Owner"

"Infections"
"File";"Infection";"Result"
"C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\dfgdfgdfg.jar-47ca32a3-51dfced9.zip";"Trojan horse Java/ClassLoader";"Moved to Virus Vault"
"C:\SDFix\backups\backups.zip";"Virus identified Worm/Agobot.25.M";"Moved to Virus Vault"
"C:\SDFix\backups\backups.zip:\backups\bot.exe";"Virus identified Worm/Agobot.25.M";"Moved to Virus Vault"
"C:\SDFix\backups\backups.zip:\backups\movedfile.vir";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"C:\SDFix\backups\backups.zip:\backups\svchost.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"C:\SDFix\backups\backups.zip:\backups\winguard.exe";"Virus identified Exploit.MS04-011";"Moved to Virus Vault"
"C:\WINDOWS\system32\ftpupd.exe";"Virus identified Worm/Korgo.B";"Moved to Virus Vault"
"C:\WINDOWS\system32\lsac.exe";"Virus identified Exploit.MS04-011";"Moved to Virus Vault"
"H:\RECYCLER\INFO.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP932\A0238280.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP1001\A0258806.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP944\A0240151.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP945\A0240166.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP946\A0240177.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP1002\A0261880.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP932\A0238285.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP977\A0248022.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP977\A0248053.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP978\A0248085.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"
"H:\System Volume Information\_restore{6A1F147C-1AD2-4516-B4BD-5F418FB8D321}\RP981\A0249144.exe";"Virus identified Worm/Generic.BVE";"Moved to Virus Vault"

"Spyware"
"File";"Infection";"Result"
"C:\hp\bin\Terminator.exe";"Potentially harmful program HackTool.BVU";"Moved to Virus Vault"
"C:\Program Files\GameSpy Arcade\GSAPak.exe";"Adware Generic2.ZHX";"Moved to Virus Vault"
"C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll";"Adware Generic.DOI";"Moved to Virus Vault"
"C:\Program Files\Nostra DivX Player\SaveInstWm.exe";"Adware Generic.LMK";"Moved to Virus Vault"
"C:\Program Files\Nostra DivX Player\SaveInstWm.exe:\Save.exe";"Adware Generic.LMK";"Moved to Virus Vault"
"C:\Program Files\Nostra DivX Player\SaveInstWm.exe:\SaveUninst.exe";"Adware Generic.SAT";"Moved to Virus Vault"
"C:\Program Files\Nostra DivX Player\SaveInstWm.exe:\Weather\Uninst.exe";"Adware Generic2.QXV";"Moved to Virus Vault"
"C:\Program Files\Nostra DivX Player\SaveInstWm.exe:\Weather\Weather.exe";"Adware Generic2.BBI";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.1a6a6c0d";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.23a940be";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.1ba0e966";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.2623214a";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.484dbb69";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.4d4e0536";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.686f76b4";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.697706d6";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.6dc9f747";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.8777f6c6";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.93af4fad";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.9bbee8a7";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.7919062b";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.7ae9c250";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.ba00a41a";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.7ea8995a";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.c7b585e6";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.cb19198d";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.d2aa96c8";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.d456db17";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.e26bad26";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.ec4774bb";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\2o7.net.f1d32757";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.1ba48dcc";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.2f109f47";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.3008dc36";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.4ef8a2b6";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.61ace4ce";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.803af41e";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.8e3ce386";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.a5a0685f";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.ad2991f2";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.e54e374";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.319f5b3a";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.3aef2dd9";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.3b29cc9e";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.452ef943";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.4d861cea";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.4e188af9";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.54524c13";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.5962555d";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.5a6bde8c";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.5c24f3bf";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.5ca26386";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.5d0b7b4d";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.5f8a688c";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.89c8049d";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.91670ceb";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.99064bff";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.99e8d8b4";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.6825e6f1";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.71c65560";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.7374b1b7";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.73eebe98";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.9bd9c5c9";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.ab16e10d";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.bd53eecb";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.d6e2c7d1";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.8f654926";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.94018c22";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.9552d625";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.98bf7c29";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.a4081563";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.ce90c9dc";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.b4417ab7";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.bbd0f785";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.f3a079f";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.f540b973";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.f5ad42b1";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\statcounter.com.ff6b688";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ol8ibfs6.default\cookies.txt:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Potentially dangerous object"

Highjack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:23:33, on 30/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [83CB3A8E] C:\WINDOWS\System32\dbyanyzghffd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [DE994F20] C:\WINDOWS\System32\dbyanyzghffd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet101\BitComet.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Services] lsrv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Services] lsrv.exe (User 'Default user')
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE.vir
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE.vir
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm205
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.line6.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7115 bytes
  • 0

#13
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Emily,

Could you please post the log of the first run of Combofix?

Thunderbird1988
  • 0

#14
emilyb

emilyb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello Thunderbird1988

Here you go:

ComboFix 08-07-28.2 - Owner 2008-07-29 7:34:33.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-28 21:53 . 2008-07-28 21:53 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-28 21:46 . 2008-07-28 23:09 <DIR> d-------- C:\SDFix
2008-07-28 19:39 . 2003-01-01 23:34 <DIR> d-a------ C:\Documents and Settings\Administrator\WINDOWS
2008-07-28 19:39 . 2003-01-01 23:23 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\VERITAS
2008-07-28 19:39 . 2003-01-02 05:07 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-28 19:39 . 2003-01-01 23:40 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-28 19:39 . 2008-03-27 09:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-07-28 19:39 . 2003-01-01 23:32 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-07-28 19:39 . 2008-07-28 19:39 <DIR> d-------- C:\Documents and Settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 20:15 --------- d-----w C:\Program Files\BitComet101
2008-07-28 20:15 --------- d-----w C:\Program Files\Azureus
2008-07-27 14:03 --------- d---a-w C:\Program Files\NoAdware
2008-07-11 21:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Games
2008-07-11 20:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 20:48 --------- d---a-w C:\Program Files\Coloreal
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-31 06:11 --------- d-----w C:\Program Files\Java
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-11-29 12:38 47,200 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-12-25 23:36 302,680 -c--a-w C:\Program Files\ac3filter_0_70b.exe
2004-12-25 23:24 7,071,334 -c--a-w C:\Program Files\vlc-0.8.1-win32.exe
2004-12-09 19:24 4,915,119 -c--a-w C:\Program Files\Firefox Setup 1.0.exe
2004-08-31 16:15 1,307 -c--a-w C:\Program Files\launch.asp
2004-08-30 18:53 5,121,631 -c--a-w C:\Program Files\Codecs6018_allin1[www.free-codecs.com].rar
2004-08-30 18:50 2,270,208 -c--a-w C:\Program Files\patch_6.0.1.7_na_6.0.1.8.exe
2004-08-30 09:27 2,295,496 -c--a-w C:\Program Files\bsplayer100.810.exe
2004-08-30 08:58 631,955 -c--a-w C:\Program Files\XviD-1.0.1-05062004.exe
2004-08-30 08:12 8,047,992 -c--a-w C:\Program Files\DivX52XP2K.exe
2004-08-30 07:41 890,523 -c--a-w C:\Program Files\Nostra2.1.exe
2004-08-29 16:18 823,296 -c--a-w C:\Program Files\winmx353.exe
2004-08-08 14:56 104,287,531 -c--a-w C:\Program Files\FlashMX2004-en.zip
2004-07-11 13:53 58,880 -c--a-w C:\Program Files\Antisasser-EN.exe
2003-03-16 01:02 711,168 -c--a-w C:\Program Files\SDHelpegr.dll
2004-07-11 12:18 84,992 -csh--r C:\WINDOWS\system32\lsac.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [BU]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"BitComet"="C:\Program Files\BitComet101\BitComet.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"83CB3A8E"="C:\WINDOWS\System32\dbyanyzghffd.exe" [BU]
"AVG_CC"="C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe" [2004-06-22 06:00 345661]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-12-29 13:19 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"S3TRAY2"="S3tray2.exe" [2003-02-25 04:33 69632 C:\WINDOWS\system32\S3tray2.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"DE994F20"="C:\WINDOWS\System32\dbyanyzghffd.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Services"="lsrv.exe" [BU]
"Microsoft Restore"="scrgrd.exe" [BU]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
MyWebSearch Email Plugin.lnk - C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE.vir [2005-06-05 14:46:08 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= pclepim1.dll
"vidc.iv41"= ir41_32.dll
"VIDC.I263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2002-10-16 14:05 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a--c--- 1998-05-08 00:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a--c--- 2001-07-07 04:56 61440 C:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KYE_Showicon]
--a--c--- 2002-10-25 23:33 69632 C:\Program Files\USB Storage RW\shwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a--c--- 2002-08-01 03:28 81920 C:\WINDOWS\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a--c--- 2002-09-14 05:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-06-18 15:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
C:\Program Files\Coloreal\coloreal.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a--c--- 2002-12-12 10:00 798789 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2002-12-12 10:00 319488 C:\WINDOWS\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\WinMX\\WinMX.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13231:TCP"= 13231:TCP:BitComet 13231 TCP
"13231:UDP"= 13231:UDP:BitComet 13231 UDP
"3074:UDP"= 3074:UDP:xbox UDP 3074
"3074:TCP"= 3074:TCP:xbox TCP 3074
"88:UDP"= 88:UDP:xbox UDP 88
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"23606:TCP"= 23606:TCP:BitComet 23606 TCP
"23606:UDP"= 23606:UDP:BitComet 23606 UDP

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.ebay.co.uk/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Search - http://bar.mywebsear...html?p=ZNxdm205
O18 -: Handler: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\schmapdoclib.dll

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 07:47:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [1072] 0xFF9BBCA8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-07-29 8:00:33
ComboFix-quarantined-files.txt 2008-07-29 07:00:13
ComboFix2.txt 2008-07-28 23:06:09

Pre-Run: 7,332,257,792 bytes free
Post-Run: 7,316,959,232 bytes free

163 --- E O F --- 2008-07-13 05:38:16
  • 0

#15
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Emily,

That log seems to be the same one as posted in post #10

Can you please post the contents of C:\ComboFix.txt

Thunderbird1988
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP