Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.metajuan, vundo and other infections [RESOLVED]


  • This topic is locked This topic is locked

#1
FaMaK

FaMaK

    Member

  • Member
  • PipPip
  • 64 posts
Hello -

This forum has been very helpful in the past, thank you! My computer is infected with Trojans, I have attempted to clean them but they seem to keep coming back. I ran Symantec antivirus and it cleaned or quarantined the trojans, then I ran Malwarebytes and posted the log below in addition to the hijackthis log. Your help is greatly appreciated!

Malwarebytes' Anti-Malware 1.24
Database version: 1045
Windows 5.1.2600 Service Pack 2

7:11:18 PM 8/12/2008
mbam-log-8-12-2008 (19-11-18).txt

Scan type: Quick Scan
Objects scanned: 39970
Time elapsed: 11 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9f7bbf36-3769-43bf-9176-aa37b41c27ac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9f7bbf36-3769-43bf-9176-aa37b41c27ac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\windows\system32\isyuxm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onqhfhtn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ktuhdg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enybqfwk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMeff2a4f1.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMeff2a4f1.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccdcAPH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:59 PM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\windows\system32\Ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\windows\system32\svchost.exe
C:\DDNS\DNSClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\GV1120\GV1120.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\GV1120\BcastTcp.exe
C:\GV1120\DmHealthSvr.exe
C:\GV1120\DMMailServer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DNSClient] "C:\DDNS\DNSClient.exe" 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Smr] "C:\WINDOWS\T?sks\n?tdde.exe" 99001275
O4 - HKCU\..\Run: [Uje] C:\WINDOWS\system32\?ymantec\r?ndll32.exe
O4 - HKCU\..\Run: [Bkvfu] "C:\Program Files\?asks\n?lookup.exe"
O4 - HKCU\..\Run: [Ouctvzk] C:\WINDOWS\??mantec\m?iexec.exe
O4 - HKCU\..\Run: [Gdwg] "C:\Documents and Settings\Admin\My Documents\??mantec\n?lookup.exe"
O4 - HKCU\..\Run: [Yhwxa] C:\WINDOWS\system32\?asks\n?lookup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: MultiCam Auto Start.lnk = C:\GV1120\DM500Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extraweb-ame...web/iNotes6.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://servicehonda....TSWeb/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: stp68_2007 - stp68_2007.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 10386 bytes
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo... Firstly, do you use WinMX program? Please do the following...

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.




Regards
fenzodahl512
  • 0

#3
FaMaK

FaMaK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Thank you for your response, I do not know what WinMX is so I cannot confirm that I am using it. I am having a problem, I downloaded Combofix and tried to run it 3 times based on the instructions, however, the computer crashed every time I tried to run it just after it states that it changed the clock. Please help. Thanks.
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Thank you for your response, I do not know what WinMX is so I cannot confirm that I am using it. I am having a problem, I downloaded Combofix and tried to run it 3 times based on the instructions, however, the computer crashed every time I tried to run it just after it states that it changed the clock. Please help. Thanks.


Please rename it to Combo-Fix and run it again..

About WinMX, here's the link.. It's a p2p program.. If you don't use it, please remove it :)

http://www.slyck.com/winmx.php

Edited by fenzodahl512, 14 August 2008 - 04:04 PM.

  • 0

#5
FaMaK

FaMaK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
I renamed Combofix to Combo-fix, tried to run the program and the computer crashed again...
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. Try to run Combo-Fix in Safe Mode then post the log here..


If you still can't then, do below in Normal Mode..


Please download CleanUp! by stevengould.org and save it to your Desktop.
  • Double-click CleanUp452.exe and install CleanUp! to your computer
  • Open CleanUp! and click on Options.. button.
  • Under General tab, choose Standard CleanUp! and then click Ok
  • Click on the CleanUp! button. When it asked you to logoff Windows, click on Yes
  • Let your Windows rebooted (or do it manually) and continue with the next step




NEXT


Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • In the Processes, Services, Drivers and Registry section set on Non-Microsoft.
  • In the Rootkit Search section, set to Yes
  • In the Files Created Within and Files Modified Within section, set it on 90 Days
  • At the bottom, tick on all Non-Microsoft Only and Include All Unicode Names option
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Desktop Components
      Reg - Disabled MS Config Items
      Reg - ContolSets
      File - Additional Folder Scans
      File - Lop Check
      File - Purity Scan
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.



Regards
fenzodahl512


------EDIT--------

I'm off to bed now.. so, we'll continue tomorrow ok?

Thank you :)

Edited by fenzodahl512, 14 August 2008 - 04:22 PM.

  • 0

#7
FaMaK

FaMaK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
OK, thanks! This worked in safe mode....attached is the ComboFix log as well as Hijackthis log.
I could not seem to find WinMX ti remove it, please advise. Thanks!!


ComboFix 08-08-14.01 - Admin 2008-08-14 18:32:12.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.301 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\V6M4MV5J\interclick.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\V6M4MV5J\interclick.com\ud.sol
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\V6M4MV5J\www.broadcaster.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Admin\Application Data\SCURIT~1
C:\Documents and Settings\Admin\Application Data\SMANTE~1
C:\Documents and Settings\Admin\Application Data\SSTEM~1
C:\Documents and Settings\Admin\Application Data\YSTEM~1
C:\Documents and Settings\Admin\My Documents\CROSOF~1
C:\Documents and Settings\Admin\My Documents\FNTS~1
C:\Documents and Settings\Admin\My Documents\FNTS~2
C:\Documents and Settings\Admin\My Documents\MANTEC~1
C:\Documents and Settings\Admin\My Documents\SMBOLS~1
C:\Documents and Settings\Admin\My Documents\WNSXS~1
C:\Program Files\asks~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ystem~1
C:\Program Files\curity~1
C:\Program Files\icroso~1.net
C:\Program Files\mcroso~1
C:\Program Files\mcroso~1.net
C:\Program Files\racle~1
C:\Program Files\stem~1
C:\windows\dobe~1
C:\windows\mantec~1
C:\windows\smante~1
C:\windows\sstem3~1
C:\windows\system32\asks~1
C:\windows\system32\crosof~1
C:\windows\system32\crosof~1.net
C:\windows\system32\dlahzd.dll
C:\windows\system32\dpbvuwrc.dll
C:\windows\system32\ecurit~1
C:\windows\system32\fnts~1
C:\windows\system32\isocgblo.ini
C:\windows\system32\mkwzfr.dll
C:\windows\system32\pxtndcbr.dll
C:\windows\system32\qmopdtme.dll
C:\windows\system32\scurit~1
C:\windows\system32\ultpwnky.dll
C:\windows\system32\vwyywhfb.dll
C:\windows\system32\wnstsisu32.exe
C:\windows\system32\wnstssv.exe
C:\windows\system32\xsihoq.dll
C:\windows\system32\ymante~1
C:\windows\tsks~1

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-14 18:34 . 2008-08-14 18:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-14 17:38 . 2008-08-14 17:40 <DIR> d-------- C:\ComboFix
2008-08-14 13:33 . 2008-08-14 18:25 5,201 --a------ C:\logfile
2008-08-12 20:40 . 2008-08-12 20:40 19 --a------ C:\WINDOWS\GeoIpCtr.ini
2008-08-12 20:03 . 2008-08-12 20:04 512 --a------ C:\WINDOWS\GeoImageProcess.ini
2008-08-12 19:08 . 2008-08-12 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-12 18:49 . 2008-08-12 18:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-12 18:49 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-12 18:49 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 00:12 . 2008-08-14 18:26 686 --a------ C:\WINDOWS\geohealth-08.ini
2008-07-24 12:26 . 2008-07-24 12:26 86,041 --a------ C:\WINDOWS\hpqins09.dat
2008-07-22 17:40 . 2008-07-22 17:40 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-07-22 17:40 . 2004-08-16 21:00 413,696 --a------ C:\WINDOWS\system32\msvcc5ce.rra
2008-07-22 17:40 . 2005-06-20 19:29 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2008-07-22 17:39 . 2008-07-22 17:40 <DIR> d-------- C:\Program Files\ArcSoft
2008-07-22 17:39 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-07-22 17:39 . 2003-12-19 04:50 167,936 --a------ C:\WINDOWS\system32\ArcSoft Screen Saver.scr
2008-07-21 14:27 . 2008-07-21 14:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\muvee Technologies
2008-07-21 14:22 . 2008-07-21 14:22 <DIR> d-------- C:\Program Files\muvee Technologies
2008-07-21 14:22 . 2008-07-21 14:22 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-07-21 14:21 . 2008-07-21 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-07-21 14:20 . 2001-05-11 13:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-07-21 14:20 . 2001-05-16 17:54 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-07-21 14:20 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2008-07-21 14:19 . 2008-07-24 15:42 <DIR> d-------- C:\WINDOWS\V58N
2008-07-21 14:19 . 2008-07-24 15:42 <DIR> d-------- C:\Program Files\DV 8800N

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 00:47 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2008-08-11 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-04 06:19 94,208 ----a-w C:\windows\DUMP5dfe.tmp
2008-07-30 22:42 23,888 ----a-w C:\windows\system32\drivers\COH_Mon.sys
2008-07-30 22:28 706 ----a-w C:\windows\system32\drivers\COH_Mon.inf
2008-07-30 22:28 10,537 ----a-w C:\windows\system32\drivers\coh_mon.cat
2008-07-23 04:50 94,208 ----a-w C:\windows\DUMP6764.tmp
2008-07-22 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-09 00:50 --------- d-----w C:\Program Files\X-Cleaner
2008-07-09 00:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-09 00:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-09 00:23 806 ----a-w C:\windows\system32\drivers\SYMEVENT.INF
2008-07-09 00:23 60,808 ----a-w C:\windows\system32\S32EVNT1.DLL
2008-07-09 00:23 136,496 ----a-w C:\windows\system32\drivers\SYMEVENT.SYS
2008-07-09 00:23 10,652 ----a-w C:\windows\system32\drivers\SYMEVENT.CAT
2008-07-09 00:23 --------- d-----w C:\Program Files\Symantec
2008-07-09 00:08 --------- d-----w C:\Program Files\WinMX
2008-07-08 23:48 --------- d-----w C:\Program Files\Panda Security
2008-07-08 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 22:06 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-07-08 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 22:06 --------- d-----w C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-07-08 22:04 --------- d-----w C:\Program Files\Yahoo!
2008-07-08 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-08 22:00 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVG7
2008-07-08 21:44 --------- d-----w C:\Program Files\Citrix
2008-07-07 20:32 253,952 ----a-w C:\windows\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\windows\system32\SETCE.tmp
2008-06-23 16:57 826,368 ----a-w C:\windows\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\windows\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\windows\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\windows\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\windows\system32\drivers\tcpip6.sys
2006-01-04 17:33 8,665 ----a-w C:\Documents and Settings\Admin\04.exe
2006-01-04 17:33 8,665 ----a-w C:\Documents and Settings\Admin\03.exe
2006-01-04 17:33 8,665 ----a-w C:\Documents and Settings\Admin\02.exe
2004-08-04 12:00 94,784 --sh--w C:\windows\twain.dll
2004-08-04 12:00 50,688 --sh--w C:\windows\twain_32.dll
2004-08-04 12:00 1,028,096 --sh--w C:\windows\system32\mfc42.dll
2004-08-04 12:00 54,784 --sh--w C:\windows\system32\msvcirt.dll
2004-08-04 12:00 413,696 --sh--w C:\windows\system32\msvcp60.dll
2004-08-04 12:00 343,040 --sh--w C:\windows\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\windows\system32\oleaut32.dll
2004-08-04 12:00 83,456 --sh--w C:\windows\system32\olepro32.dll
2004-08-04 12:00 11,776 --sh--w C:\windows\system32\regsvr32.exe
.

------- Sigcheck -------

2006-01-06 03:54 502272 6225f14b8ce08ccba8b25ad27843c674 C:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 360,448 2004-12-16 21:47:14 C:\DDNS\bak\bak\DNSClient.exe
----a-w 360,448 2004-12-16 21:47:14 C:\DDNS\DNSClient.exe

----a-w 360,448 2004-12-16 21:47:14 C:\DDNS\bak\bak\DNSClient.exe

----a-w 860,160 2004-08-06 12:27:56 C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe

----a-w 1,388,544 2004-10-14 14:11:10 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe

----a-w 344,064 2005-09-15 02:05:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 368,706 2002-09-11 02:26:26 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe

----a-w 57,344 2001-07-03 14:11:52 C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe

----a-w 49,152 2005-12-15 16:18:50 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 282,624 2006-10-12 02:43:07 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-06-29 11:24:52 C:\Program Files\QuickTime\QTTask.exe

----a-w 380,928 2003-12-10 09:52:40 C:\Program Files\SBC Self Support Tool\SmartBridge\bak\MotiveSB.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smr"="C:\WINDOWS\T?sks\n?tdde.exe" [?]
"Uje"="C:\WINDOWS\system32\?ymantec\r?ndll32.exe" [?]
"Bkvfu"="C:\Program Files\?asks\n?lookup.exe" [?]
"Ouctvzk"="C:\WINDOWS\??mantec\m?iexec.exe" [?]
"Gdwg"="C:\Documents and Settings\Admin\My Documents\??mantec\n?lookup.exe" [?]
"Yhwxa"="C:\WINDOWS\system32\?asks\n?lookup.exe" [?]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [N/A]
"DNSClient"="C:\DDNS\DNSClient.exe" [2004-12-16 16:47 360448]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00 267064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 15:15 115560]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 05:10:26 282624]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2008-07-22 17:39:45 110592]
MultiCam Auto Start.lnk - C:\GV1120\DM500Startup.exe [2006-06-28 15:22:16 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.GM20"= GXGM20.dll
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll
"vidc.GEOV"= C:\WINDOWS\system32\GeoCodec.dll
"vidc.G264"= GX264.dll
"vidc.GMP4"= GXAMP4.dll
"vidc.GM40"= GXAMP4.dll
"vidc.mp42"= C:\windows\Mpg4c32.dll
"vidc.mp43"= C:\windows\Mpg4c32.dll
"vidc.mpg4"= C:\windows\Mpg4c32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=C:\windows\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\windows\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\GV1120\\AudioServer.exe"=
"C:\\GV1120\\WebCamServer.exe"=
"C:\\GV1120\\BcastTcp.exe"=
"C:\\GV1120\\DMMcast.exe"=
"C:\\GV1120\\TCPsvr.exe"=
"C:\\GV1120\\GV1120.exe"=
"C:\\GV1120\\DMWebCam.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\GV1120\\TwinServer.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 hotcore;hotcore;C:\windows\system32\drivers\hotcore.sys [2004-07-08 07:47]
R3 GVECP;GVECP;C:\windows\system32\drivers\GVECP.sys [2006-01-18 02:36]
S3 COH_Mon;COH_Mon;C:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\windows\system32\drivers\mbamswissarmy.sys [2008-07-30 20:07]
.
- - - - ORPHANS REMOVED - - - -

Notify-stp68_2007 - stp68_2007.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\30osf56i.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 18:39:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant]
"ImagePath"="a"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-14 18:48:13 - machine was rebooted [Admin]
ComboFix-quarantined-files.txt 2008-08-14 23:47:53

Pre-Run: 69,616,001,024 bytes free
Post-Run: 68,983,889,920 bytes free

291 --- E O F --- 2008-07-23 17:01:37


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46, on 2008-08-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\windows\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\windows\system32\cmd.exe
C:\DDNS\DNSClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\windows\system32\findstr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DNSClient] "C:\DDNS\DNSClient.exe" 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Smr] "C:\WINDOWS\T?sks\n?tdde.exe" 99001275
O4 - HKCU\..\Run: [Uje] C:\WINDOWS\system32\?ymantec\r?ndll32.exe
O4 - HKCU\..\Run: [Bkvfu] "C:\Program Files\?asks\n?lookup.exe"
O4 - HKCU\..\Run: [Ouctvzk] C:\WINDOWS\??mantec\m?iexec.exe
O4 - HKCU\..\Run: [Gdwg] "C:\Documents and Settings\Admin\My Documents\??mantec\n?lookup.exe"
O4 - HKCU\..\Run: [Yhwxa] C:\WINDOWS\system32\?asks\n?lookup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: MultiCam Auto Start.lnk = C:\GV1120\DM500Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extraweb-ame...web/iNotes6.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://servicehonda....TSWeb/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: stp68_2007 - stp68_2007.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 6575 bytes
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Double-posted

Edited by fenzodahl512, 15 August 2008 - 01:05 AM.

  • 0

#9
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Do this in Normal Mode if possible.. If you can't, then do it in Safe Mode..


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
O20 - Winlogon Notify: stp68_2007 - stp68_2007.dll (file missing)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.



NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::

File::
C:\windows\system32\SETCE.tmp
C:\Documents and Settings\Admin\04.exe
C:\Documents and Settings\Admin\04.exe
C:\Documents and Settings\Admin\02.exe

Folder::
C:\WINDOWS\T?sks
C:\WINDOWS\system32\?ymantec
C:\Program Files\?asks
C:\WINDOWS\??mantec
C:\Documents and Settings\Admin\My Documents\??mantec
C:\WINDOWS\system32\?asks

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smr"=-
"Uje"=-
"Bkvfu"=-
"Ouctvzk"=-
"Gdwg"=-
"Yhwxa"=-

AWF::
C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\SBC Self Support Tool\SmartBridge\bak\MotiveSB.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#10
FaMaK

FaMaK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Thanks again for helping, everything worked fine except for ComboFix which I had to do under safe mode but it seemed to work fine. Also, I could not find "O20 - Winlogon Notify: stp68_2007 - stp68_2007.dll (file missing)" in Hijackthis so I could not delete it. Logs posted below:


ComboFix 08-08-14.01 - Admin 2008-08-15 11:56:45.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.362 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\Virus removal tools\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\Virus removal tools\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Admin\02.exe
C:\Documents and Settings\Admin\04.exe
C:\windows\system32\SETCE.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\02.exe
C:\Documents and Settings\Admin\04.exe
C:\windows\system32\SETCE.tmp

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-14 18:53 . 2008-08-14 18:53 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-14 18:34 . 2008-08-14 18:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-14 17:38 . 2008-08-14 17:40 <DIR> d-------- C:\ComboFix
2008-08-14 13:33 . 2008-08-15 11:51 7,742 --a------ C:\logfile
2008-08-12 20:40 . 2008-08-12 20:40 19 --a------ C:\WINDOWS\GeoIpCtr.ini
2008-08-12 20:03 . 2008-08-12 20:04 512 --a------ C:\WINDOWS\GeoImageProcess.ini
2008-08-12 19:08 . 2008-08-12 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-12 18:49 . 2008-08-12 18:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-12 18:49 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-12 18:49 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 00:12 . 2008-08-15 11:52 835 --a------ C:\WINDOWS\geohealth-08.ini
2008-07-24 12:26 . 2008-07-24 12:26 86,041 --a------ C:\WINDOWS\hpqins09.dat
2008-07-22 17:40 . 2008-07-22 17:40 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-07-22 17:40 . 2004-08-16 21:00 413,696 --a------ C:\WINDOWS\system32\msvcc5ce.rra
2008-07-22 17:40 . 2005-06-20 19:29 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2008-07-22 17:39 . 2008-07-22 17:40 <DIR> d-------- C:\Program Files\ArcSoft
2008-07-22 17:39 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-07-22 17:39 . 2003-12-19 04:50 167,936 --a------ C:\WINDOWS\system32\ArcSoft Screen Saver.scr
2008-07-21 14:27 . 2008-07-21 14:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\muvee Technologies
2008-07-21 14:22 . 2008-07-21 14:22 <DIR> d-------- C:\Program Files\muvee Technologies
2008-07-21 14:22 . 2008-07-21 14:22 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-07-21 14:21 . 2008-07-21 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-07-21 14:20 . 2001-05-11 13:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-07-21 14:20 . 2001-05-16 17:54 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-07-21 14:20 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2008-07-21 14:19 . 2008-07-24 15:42 <DIR> d-------- C:\WINDOWS\V58N
2008-07-21 14:19 . 2008-07-24 15:42 <DIR> d-------- C:\Program Files\DV 8800N

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 17:01 --------- d-----w C:\Program Files\QuickTime
2008-08-13 00:47 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2008-08-11 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-30 22:42 23,888 ----a-w C:\windows\system32\drivers\COH_Mon.sys
2008-07-30 22:28 706 ----a-w C:\windows\system32\drivers\COH_Mon.inf
2008-07-30 22:28 10,537 ----a-w C:\windows\system32\drivers\coh_mon.cat
2008-07-22 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-09 00:50 --------- d-----w C:\Program Files\X-Cleaner
2008-07-09 00:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-09 00:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-09 00:23 806 ----a-w C:\windows\system32\drivers\SYMEVENT.INF
2008-07-09 00:23 60,808 ----a-w C:\windows\system32\S32EVNT1.DLL
2008-07-09 00:23 136,496 ----a-w C:\windows\system32\drivers\SYMEVENT.SYS
2008-07-09 00:23 10,652 ----a-w C:\windows\system32\drivers\SYMEVENT.CAT
2008-07-09 00:23 --------- d-----w C:\Program Files\Symantec
2008-07-09 00:08 --------- d-----w C:\Program Files\WinMX
2008-07-08 23:48 --------- d-----w C:\Program Files\Panda Security
2008-07-08 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 22:06 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-07-08 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 22:06 --------- d-----w C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-07-08 22:04 --------- d-----w C:\Program Files\Yahoo!
2008-07-08 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-08 22:00 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVG7
2008-07-08 21:44 --------- d-----w C:\Program Files\Citrix
2008-07-07 20:32 253,952 ----a-w C:\windows\system32\es.dll
2008-06-23 16:57 826,368 ----a-w C:\windows\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\windows\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\windows\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\windows\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\windows\system32\drivers\tcpip6.sys
2006-01-04 17:33 8,665 ----a-w C:\Documents and Settings\Admin\03.exe
2004-08-04 12:00 94,784 --sh--w C:\windows\twain.dll
2004-08-04 12:00 50,688 --sh--w C:\windows\twain_32.dll
2004-08-04 12:00 1,028,096 --sh--w C:\windows\system32\mfc42.dll
2004-08-04 12:00 54,784 --sh--w C:\windows\system32\msvcirt.dll
2004-08-04 12:00 413,696 --sh--w C:\windows\system32\msvcp60.dll
2004-08-04 12:00 343,040 --sh--w C:\windows\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\windows\system32\oleaut32.dll
2004-08-04 12:00 83,456 --sh--w C:\windows\system32\olepro32.dll
2004-08-04 12:00 11,776 --sh--w C:\windows\system32\regsvr32.exe
.

------- Sigcheck -------

2006-01-06 03:54 502272 6225f14b8ce08ccba8b25ad27843c674 C:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-14 21:05 344064]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"DNSClient"="C:\DDNS\DNSClient.exe" [2004-12-16 16:47 360448]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-11 21:43 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00 267064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 15:15 115560]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 05:10:26 282624]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2008-07-22 17:39:45 110592]
MultiCam Auto Start.lnk - C:\GV1120\DM500Startup.exe [2006-06-28 15:22:16 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.GM20"= GXGM20.dll
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll
"vidc.GEOV"= C:\WINDOWS\system32\GeoCodec.dll
"vidc.G264"= GX264.dll
"vidc.GMP4"= GXAMP4.dll
"vidc.GM40"= GXAMP4.dll
"vidc.mp42"= C:\windows\Mpg4c32.dll
"vidc.mp43"= C:\windows\Mpg4c32.dll
"vidc.mpg4"= C:\windows\Mpg4c32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=C:\windows\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\windows\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\GV1120\\AudioServer.exe"=
"C:\\GV1120\\WebCamServer.exe"=
"C:\\GV1120\\BcastTcp.exe"=
"C:\\GV1120\\DMMcast.exe"=
"C:\\GV1120\\TCPsvr.exe"=
"C:\\GV1120\\GV1120.exe"=
"C:\\GV1120\\DMWebCam.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\GV1120\\TwinServer.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 hotcore;hotcore;C:\windows\system32\drivers\hotcore.sys [2004-07-08 07:47]
R3 GVECP;GVECP;C:\windows\system32\drivers\GVECP.sys [2006-01-18 02:36]
S3 COH_Mon;COH_Mon;C:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\windows\system32\drivers\mbamswissarmy.sys [2008-07-30 20:07]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 12:01:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant]
"ImagePath"="a"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\GV1120\GV1120.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\GV1120\BcastTcp.exe
C:\GV1120\DmHealthSvr.exe
C:\GV1120\DMMailServer.exe
C:\WINDOWS\SoftwareDistribution\Download\cb5a6e6205e8e4bf4d746b7f5bcdd148\update\update.exe
.
**************************************************************************
.
Completion time: 2008-08-15 12:12:00 - machine was rebooted [Admin]
ComboFix-quarantined-files.txt 2008-08-15 17:11:31
ComboFix2.txt 2008-08-14 23:48:19

Pre-Run: 69,536,165,888 bytes free
Post-Run: 68,952,625,152 bytes free

215 --- E O F --- 2008-07-23 17:01:37


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:46 PM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\windows\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\DDNS\DNSClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\GV1120\GV1120.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\GV1120\BcastTcp.exe
C:\GV1120\DmHealthSvr.exe
C:\GV1120\DMMailServer.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DNSClient] "C:\DDNS\DNSClient.exe" 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: MultiCam Auto Start.lnk = C:\GV1120\DM500Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 5974 bytes
  • 0

#11
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Lets run F-Secure online scan for Viruses, Spyware and RootKits:
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient




Tell me, how is your computer now?


Regards
fenzodahl512 :)
  • 0

#12
FaMaK

FaMaK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
The computer seems to be running great, no more popups! The scan only found a tracking cookie and cleaned it. I am guessing that we are done? If we are, thanks so much for your great help!!

Scanning Report
Friday, August 15, 2008 14:26:17 - 20:23:44

Computer name: ADMIN-
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\
Result: 1 malware found
Tracking Cookie (spyware)

* System

Statistics
Scanned:

* Files: 30846
* System: 3433
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{D1B3F040-2B7E-4095-9BC1-E62CD77AECC1}.BIN

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-08-15
* F-Secure AVP: 7.0.171, 2008-08-15
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure Blacklight: 1.0.68

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics
  • 0

#13
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Good news... Your logs look clean to me...


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image




Lastly, to keep your operating system up to date please visit the link below monthly

Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#14
FaMaK

FaMaK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Computer is running great, thanks for all of your help!! You guys/gals are great!
  • 0

#15
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP