Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-Spy.Win32.GreenScreen help please [RESOLVED]

Started by cookiefp , Aug 08 2008 11:49 PM

  • This topic is locked This topic is locked

#1
cookiefp
Posted 08 August 2008 - 11:49 PM

cookiefp

    Member

  • Member
  • PipPip
  • 14 posts
Also getting random popups for trojan-downloader.win32.agent.bq AND Trojan-Clicker.Win32.Tiny.h
as well as antivirus XP 2008 popups.

i have run various malware scanners and removed everything that they have found as well as Avast! anti virus but i am still getting these popups.

I have followed the instructions in the "Read before posting a log" thread apart from Malwarebytes scan. Avast said this was a virus and wouldnt let me run the file.

Please help me, it will be very much appreciated.

================================================================================
====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:19 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\srkfatgf.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: bgrqfetx - {968232F5-0910-483D-B059-4C6AB5C785DC} - C:\WINDOWS\bgrqfetx.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lphcrvgj0ec9l] C:\WINDOWS\system32\lphcrvgj0ec9l.exe
O4 - HKLM\..\Run: [SMrhcvvgj0ec9l] C:\Program Files\rhcvvgj0ec9l\rhcvvgj0ec9l.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EnProc] C:\WINDOWS\system32\srkfatgf.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Startup: mIRC.lnk = C:\Program Files\mIRC\mirc.exe
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15102/CTPID.cab
O20 - Winlogon Notify: routew - routew.dll (file missing)
O21 - SSODL: tfnslopk - {C19D122A-69F6-4921-B13A-2DD6A4EDDE20} - C:\WINDOWS\tfnslopk.dll (file missing)
O21 - SSODL: xokvrpwg - {A869F2A5-12D7-4188-8824-DB3D88C12C4D} - C:\WINDOWS\xokvrpwg.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7715 bytes
  • 0

Advertisements

#2
andrewuk
Posted 09 August 2008 - 07:17 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi cookiefp

welcome to geekstogo :)


====STEP 1====
if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.micro...com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



====STEP 2====
i dont think you have this infection on your machine, but i want to do a scan for it:

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm



In your next reply could i see:
1. the combofix log
2. the hijackthis log
3. the smitfraudfix report

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#3
cookiefp
Posted 09 August 2008 - 08:20 AM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
thank you for your reply andrewuk

here are the logs:

ComboFix 08-08-08.07 - cke 2008-08-09 23:30:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT 10:00]
Running from: C:\Documents and Settings\cke\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\cke\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\cke\Application Data\rhcvvgj0ec9l
C:\WINDOWS\eqbn.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\phcrvgj0ec9l.bmp
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-09 15:38 . 2008-08-09 15:38 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-09 14:30 . 2008-08-09 14:30 86 --a------ C:\WINDOWS\wininit.ini
2008-08-09 10:14 . 2008-08-09 10:14 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-08 23:22 . 2008-08-08 14:42 86,016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-08 23:21 . 2008-08-08 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\qlctatul
2008-08-08 23:21 . 2008-08-08 23:21 77,824 --a------ C:\WINDOWS\system32\srkfatgf.exe
2008-08-08 23:06 . 2008-08-08 23:06 <DIR> d-------- C:\Documents and Settings\cke\Application Data\CopyTransPhoto
2008-08-08 20:40 . 2008-08-08 20:40 <DIR> d-------- C:\Program Files\iTunes
2008-08-08 20:38 . 2008-08-08 20:39 <DIR> d-------- C:\Program Files\QuickTime
2008-08-08 20:37 . 2008-08-08 20:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-08 20:36 . 2008-08-08 20:36 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-08 20:36 . 2008-08-08 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-08 20:36 . 2008-07-22 20:32 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-08-05 19:46 . 2008-08-05 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-08-05 19:31 . 2008-08-05 19:31 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 13:32 --------- d-----w C:\Documents and Settings\cke\Application Data\Azureus
2008-08-09 05:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 05:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 05:07 --------- d-----w C:\Program Files\mIRC
2008-08-09 02:21 --------- d-----w C:\Documents and Settings\cke\Application Data\InstallShield Installation Information
2008-08-09 01:08 --------- d-----w C:\Program Files\Avast4
2008-08-09 00:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 00:25 --------- d-----w C:\Program Files\Baldurs Gate II - SoA
2008-08-08 10:40 --------- d-----w C:\Program Files\iPod
2008-08-08 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-05 09:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-19 09:04 --------- d-----w C:\Program Files\Rapid Evolution
2008-07-15 05:47 --------- d-----w C:\Program Files\Audacity
2008-07-07 05:45 --------- d-----w C:\Program Files\ATI Technologies
2008-07-04 09:44 --------- d-----w C:\Documents and Settings\cke\Application Data\Creative
2008-07-04 09:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-07-04 09:18 --------- d-----w C:\Program Files\Creative
2008-07-04 09:17 --------- d--h--w C:\Program Files\Creative Installation Information
2008-07-04 09:14 --------- d-----w C:\Program Files\Common Files\Creative
2008-07-03 12:58 --------- d-----w C:\Program Files\Azureus
2008-06-21 16:50 --------- d-----w C:\Program Files\World of Warcraft
2008-06-21 08:10 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2003-06-03 15:49 448,256 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-06-03 15:48 147,328 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 15:47 147,328 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-04-22 18:19 1196032]
"EnProc"="C:\WINDOWS\system32\srkfatgf.exe" [2008-08-08 23:21 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-11 00:57 133016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-21 04:41 33792]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 16:35 1294336]

C:\Documents and Settings\cke\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Azureus.lnk - C:\Program Files\Azureus\Azureus.exe [2006-05-11 12:05:12 254976]
Microsoft Office Outlook 2003.lnk - C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2007-02-24 14:11:03 794624]
mIRC.lnk - C:\Program Files\mIRC\mirc.exe [2006-11-24 01:45:34 2076672]
Winamp.lnk - C:\Program Files\Winamp\winamp.exe [2005-05-27 07:31:01 1059328]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
raid_tool.exe.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2007-02-23 18:16:47 561152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-06-12 20:31]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 04:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 04:37]
.
Contents of the 'Scheduled Tasks' folder

2008-08-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{968232F5-0910-483D-B059-4C6AB5C785DC} - C:\WINDOWS\bgrqfetx.dll
HKLM-Run-Smapp - C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
HKLM-Run-lphcrvgj0ec9l - C:\WINDOWS\system32\lphcrvgj0ec9l.exe
HKLM-Run-SMrhcvvgj0ec9l - C:\Program Files\rhcvvgj0ec9l\rhcvvgj0ec9l.exe
Notify-routew - routew.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.au/
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 23:34:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Avast4\Setup\avast.setup
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-08-09 23:39:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-09 13:38:23

Pre-Run: 44,575,293,440 bytes free
Post-Run: 44,490,927,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\="Microsoft Windows"
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

227
  • 0

#4
cookiefp
Posted 09 August 2008 - 08:21 AM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:21:24, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EnProc] C:\WINDOWS\system32\srkfatgf.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Startup: mIRC.lnk = C:\Program Files\mIRC\mirc.exe
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15102/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6764 bytes
  • 0

#5
cookiefp
Posted 09 August 2008 - 08:21 AM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
SmitFraudFix v2.333

Scan done at 0:18:16.60, Sun 08/10/2008
Run from C:\Documents and Settings\cke\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cke\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\cke


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\cke\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\cke\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com Gigabit LOM (3C940) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8ABEEA81-69AC-4A8F-823E-70B833B09FC8}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8ABEEA81-69AC-4A8F-823E-70B833B09FC8}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8ABEEA81-69AC-4A8F-823E-70B833B09FC8}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#6
andrewuk
Posted 09 August 2008 - 10:25 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will clear the remaining malware i can see and scan three files

====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

File::
C:\WINDOWS\lnvegaow.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnProc"=-

Collect::
C:\WINDOWS\system32\srkfatgf.exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

====STEP 2====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\inf\EL2K_N64.sys

Click on the submit button

Please also do the same with the following two files:
C:\WINDOWS\inf\EL2K_XP.sys
C:\WINDOWS\inf\EL2K_2K.sys


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



In your next reply could i see:
1. the combofix log
2. the hijackthis log
3. the 3 jotti logs

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#7
cookiefp
Posted 09 August 2008 - 07:07 PM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ComboFix asked me to submit a file online, which i did.


ComboFix 08-08-08.07 - cke 2008-08-10 10:35:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.656 [GMT 10:00]
Running from: C:\Documents and Settings\cke\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\cke\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\lnvegaow.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\system32\srkfatgf.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-10 00:18 . 2008-08-10 00:18 2,920 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-09 15:38 . 2008-08-09 15:38 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-09 14:30 . 2008-08-09 14:30 86 --a------ C:\WINDOWS\wininit.ini
2008-08-09 10:14 . 2008-08-09 10:14 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-08 23:21 . 2008-08-08 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\qlctatul
2008-08-08 23:06 . 2008-08-08 23:06 <DIR> d-------- C:\Documents and Settings\cke\Application Data\CopyTransPhoto
2008-08-08 20:40 . 2008-08-08 20:40 <DIR> d-------- C:\Program Files\iTunes
2008-08-08 20:38 . 2008-08-08 20:39 <DIR> d-------- C:\Program Files\QuickTime
2008-08-08 20:37 . 2008-08-08 20:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-08 20:36 . 2008-08-08 20:36 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-08 20:36 . 2008-08-08 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-08 20:36 . 2008-07-22 20:32 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-08-05 19:46 . 2008-08-05 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-08-05 19:31 . 2008-08-05 19:31 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 00:40 --------- d-----w C:\Program Files\mIRC
2008-08-10 00:40 --------- d-----w C:\Documents and Settings\cke\Application Data\Azureus
2008-08-09 05:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 05:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 02:21 --------- d-----w C:\Documents and Settings\cke\Application Data\InstallShield Installation Information
2008-08-09 01:08 --------- d-----w C:\Program Files\Avast4
2008-08-09 00:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 00:25 --------- d-----w C:\Program Files\Baldurs Gate II - SoA
2008-08-08 10:40 --------- d-----w C:\Program Files\iPod
2008-08-08 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-05 09:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-19 09:04 --------- d-----w C:\Program Files\Rapid Evolution
2008-07-15 05:47 --------- d-----w C:\Program Files\Audacity
2008-07-07 05:45 --------- d-----w C:\Program Files\ATI Technologies
2008-07-04 11:38 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-07-04 11:38 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-07-04 09:44 --------- d-----w C:\Documents and Settings\cke\Application Data\Creative
2008-07-04 09:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-07-04 09:18 --------- d-----w C:\Program Files\Creative
2008-07-04 09:17 --------- d--h--w C:\Program Files\Creative Installation Information
2008-07-04 09:14 --------- d-----w C:\Program Files\Common Files\Creative
2008-07-03 12:58 --------- d-----w C:\Program Files\Azureus
2008-06-21 16:50 --------- d-----w C:\Program Files\World of Warcraft
2008-06-21 08:10 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-06-03 03:46 10,276,864 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-06-03 03:22 413,696 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-06-03 03:21 306,688 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-06-03 03:11 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-06-03 03:11 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-06-03 03:11 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-06-03 03:09 552,960 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-06-03 03:08 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-06-03 03:04 245,760 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-06-03 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-06-03 02:59 3,500,352 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-06-03 02:48 2,120,832 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-06-03 02:33 48,128 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-06-03 02:29 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-06-03 02:28 23,040 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-06-03 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-06-03 02:22 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-06-03 02:21 557,056 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-06-02 11:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-05-25 01:58 5,438 ----a-w C:\WINDOWS\system32\rhs.bin
2003-06-03 15:49 448,256 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-06-03 15:48 147,328 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 15:47 147,328 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-09_23.38.03.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-10 00:39:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_624.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-04-22 18:19 1196032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-11 00:57 133016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-21 04:41 33792]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 16:35 1294336]

C:\Documents and Settings\cke\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Azureus.lnk - C:\Program Files\Azureus\Azureus.exe [2006-05-11 12:05:12 254976]
Microsoft Office Outlook 2003.lnk - C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2007-02-24 14:11:03 794624]
mIRC.lnk - C:\Program Files\mIRC\mirc.exe [2006-11-24 01:45:34 2076672]
Winamp.lnk - C:\Program Files\Winamp\winamp.exe [2005-05-27 07:31:01 1059328]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
raid_tool.exe.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2007-02-23 18:16:47 561152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-06-12 20:31]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 04:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 04:37]
.
Contents of the 'Scheduled Tasks' folder

2008-08-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 10:39:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-08-10 10:43:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 00:43:29
ComboFix2.txt 2008-08-09 13:39:27

Pre-Run: 44,459,599,872 bytes free
Post-Run: 44,447,998,464 bytes free

187



=======================================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:32, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Startup: mIRC.lnk = C:\Program Files\mIRC\mirc.exe
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15102/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7112 bytes
  • 0

#8
cookiefp
Posted 09 August 2008 - 07:08 PM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Service
Service load:
0% 100%
File: EL2K_N64.sys
Status:
OK
MD5: 745ce01313c569a3d67e0e798db51762
Packers detected:
-
Scanner results
Scan taken on 10 Aug 2008 00:49:20 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


========================================

Service
Service load:
0% 100%
File: EL2K_2K.sys
Status:
OK
MD5: af83d5b4c9cbf69acc35095a56955581
Packers detected:
-
Scanner results
Scan taken on 10 Aug 2008 00:59:13 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
======================================================


Service
Service load:
0% 100%
File: EL2K_XP.sys
Status:
OK
MD5: 25fe70646afe37801ab540b5d3b12cf9
Packers detected:
-
Scanner results
Scan taken on 10 Aug 2008 00:54:58 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
  • 0

#9
andrewuk
Posted 09 August 2008 - 07:23 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
looking good now, in this post we will do some general scans to clear any remnants and as a final check. we will also update your java.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")
====STEP 3====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 4====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 5====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
====STEP 6====
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

In your next reply could i see:
1. the malwarebytes log
2. the SUPERantispyware log
3. the kaspersky log
4. a new hijackthis log
5. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#10
cookiefp
Posted 10 August 2008 - 03:58 PM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 5.1.2600 Service Pack 2

5:10:22 PM 8/10/2008
mbam-log-8-10-2008 (17-10-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 81176
Time elapsed: 40 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bgrqfetx.bnkq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bgrqfetx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{6255AC78-288E-4B4E-B524-D0E26030C6D1}\RP384\A0059394.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6255AC78-288E-4B4E-B524-D0E26030C6D1}\RP384\A0059395.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\eqbn.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tdsslog.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

Advertisements

#11
cookiefp
Posted 10 August 2008 - 03:58 PM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/10/2008 at 09:43 PM

Application Version : 4.15.1000

Core Rules Database Version : 3531
Trace Rules Database Version: 1520

Scan type : Complete Scan
Total Scan Time : 04:27:41

Memory items scanned : 546
Memory threats detected : 0
Registry items scanned : 6040
Registry threats detected : 0
File items scanned : 63635
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\cke\Cookies\[email protected][1].txt
C:\Documents and Settings\cke\Cookies\cke@serving-sys[2].txt
.calorie-count.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.calorie-count.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.calorie-count.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.calorie-count.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.calorie-count.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.calorie-count.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.112.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.112.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.112.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.112.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.calorie-count.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
statse.webtrendslive.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.mediafour.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.mediafour.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.yadro.ru [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.trackitdown.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.trackitdown.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
media.sensis.com.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.trackitdown.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.trackitdown.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www6.addfreestats.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.ingdirect.112.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.soundtrackcollector.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.soundtrackcollector.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.soundtrackcollector.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.soundtrackcollector.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.soundtrackcollector.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
stats.sitesuite.org [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.3dstats.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
myaccount.centrelink.gov.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
myaccount.centrelink.gov.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
myaccount.centrelink.gov.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.acpmagazines.112.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.paypal.112.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.ehg-aami.hitbox.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.tns-counter.ru [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.pornhost.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.pornhost.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.nakedonthestreets.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.nakedonthestreets.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.w3counter.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.ehg-suncorpdirectniche.hitbox.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
forum.tiestotracklists.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.ice.112.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.partygaming.122.2o7.net [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.mediamovers.com.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.mediamovers.com.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.weborama.fr [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.medianetworking.com.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.medianetworking.com.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.medianetworking.com.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
.medianetworking.com.au [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
stats2.clicktracks.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
stats2.clicktracks.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
stats2.clicktracks.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
stats2.clicktracks.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\cke\Application Data\Mozilla\Firefox\Profiles\vhm8yucd.default\cookies.txt ]

Trojan.Dropper/Gen
C:\QOOBOX\QUARANTINE\C\WINDOWS\LNVEGAOW.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6255AC78-288E-4B4E-B524-D0E26030C6D1}\RP385\A0059535.EXE

Desktop Hijacker.AboutYourPrivacy
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\CAPT.GIF.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DOWN.GIF.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PHCRVGJ0EC9L.BMP.VIR

NotHarmful.Sysinternals Bluescreen Screen Saver
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6255AC78-288E-4B4E-B524-D0E26030C6D1}\RP381\A0059163.SCR

Trojan.Unclassified/GTS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6255AC78-288E-4B4E-B524-D0E26030C6D1}\RP381\A0059168.DLL

Adware.Vundo-Variant/J
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6255AC78-288E-4B4E-B524-D0E26030C6D1}\RP381\A0059169.DLL

Rogue.Antivirus/Fake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6255AC78-288E-4B4E-B524-D0E26030C6D1}\RP381\A0059214.EXE
  • 0

#12
cookiefp
Posted 10 August 2008 - 03:59 PM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 10, 2008 12:27:09
Records in database: 1078615
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 39169
Threat name: 7
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 05:49:18


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe/C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Documents and Settings\cke\Desktop\SmitfraudFix\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1
C:\Documents and Settings\cke\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\cke\Desktop\SmitfraudFix.exe Infected: Hoax.Win32.Renos.vaoz 1
C:\Documents and Settings\cke\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\mIRC\mirc.exe.bak Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Unzipped\Winamp\winamp5092_pro.exe Infected: Backdoor.Win32.ServU-based 1
D:\Unzipped\Winamp\winamp5092_pro.exe Infected: Trojan.BAT.Zapchast 1
D:\Unzipped\Winamp\winamp5092_pro.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
D:\Unzipped\Winamp\winamp5092_pro.exe Infected: Backdoor.Win32.Iroffer.b 1

The selected area was scanned.
  • 0

#13
cookiefp
Posted 10 August 2008 - 04:00 PM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:58:55, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Startup: mIRC.lnk = C:\Program Files\mIRC\mirc.exe
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15102/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7443 bytes
  • 0

#14
cookiefp
Posted 10 August 2008 - 04:02 PM

cookiefp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
computer is running much better now but some sites are not being displayed properly such as geekstogo. the website themes/backgrounds/graphics arent displayed. its just displaying text. only for some websites though.
  • 0

#15
andrewuk
Posted 10 August 2008 - 04:14 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
all looks good, the kaspersky scan picked up items safely quarantined or false positives except could you tell me what this program is: D:\Unzipped\Winamp\winamp5092_pro.exe.....dont run it, just tell me if you know what it is, or if we can delete it. the kaspersky scan seems to think it is infected.

computer is running much better now but some sites are not being displayed properly such as geekstogo. the website themes/backgrounds/graphics arent displayed. its just displaying text. only for some websites though.

sounds like the firefox cache needs to be cleared.

To clear the cache, go to Tools > Options
Go to Advanced category, and then click on the Network tab.
Under Cache, click the Clear Now button.
Click OK.

To clear your History List, go to [/b]Tools[/b] > Clear Private Data.
Check Browsing History. Uncheck all other items.
Click Clear Private Data Now.

If you are having problems with the way Firefox displays the pages on some sites, try hitting Ctrl and F5 at the same time. This should refresh the page to the correct state.

tell me how it looks now.

andrewuk
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP