Unsolved
This post is more than 5 years old
11 Posts
0
1172
Cannot remove all trojan.vundo
I recently was infected with trojan.vundo yet norton did not remove all the problem. Im still getting the nasty popup pages when I search the web.
After reading several support forums I found that XoftSpySe and Spyhunter3 were good programs to continue to remove this nasty problem. XoftSpySe does not show to find any problem other than some adware. Support has sent me couple registry fixes yet nothing has actually been done. Spyhunter3 detects several files marked infected with trojan.vundo yet does not remove them. Tells me could not remove till after reboot yet after reboot nothing happens. Support also has sent a couple fixes yet no resolution yet. So here I am with hijackthis to see if we can get a little further along with this problem.
Here are a some of the problems Spyhunter finds but does not remove:
mlJCVlJy.dll - Trojan.vundo - Memory
{8E1BFC0E-8AD2-424D-AC8A-06038481516E} -Trojan.vundo - registry key
{8E1BFC0E-8AD2-424D-AC8A-06038481516E} - Trojan.vundo - registry value
{8E1BFC0E-8AD2-424D-AC8A-06038481516E}- Trojan.vundo - registry key again
InprocServer32 - Trojan.vundo - registry value
Below is my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:43:23 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.instafinder.com/addsearch.asp?err=ADD&url=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://37.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://37.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://37.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Instafinder] C:\Program Files\Instafinder\instafinder.exe
O4 - HKLM\..\Run: [e435bda0] rundll32.exe "C:\WINDOWS\system32\lgterdcl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177987668671
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177991148140
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
Any help would be greatly appreciated.
bamajim
10.4K Posts
0
April 16th, 2008 12:00
I disagree with your assessment of XoftSpySe.
Please download Combofix and save to your desktop:
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
"The world is what you make of it"
Sylwyn
10 Posts
0
April 16th, 2008 15:00
I would suggest running Combofix from Safe Mode. It's usually more effective. Also, if there are certain files you are having trouble removing, you can create a script file to point combofix at any other file that it may not pickup on its own. This is especially useful when dealing with infections that generate random file names. Also, clear your temp files with a tool such as ATF Cleaner or CCleaner before hand, or your combofix scan could take extremely long. It should only be 10-15 minutes.
Bugbatter
20.5K Posts
0
April 16th, 2008 15:00
Sylwyn
10 Posts
0
April 16th, 2008 16:00
Agitated
11 Posts
0
April 16th, 2008 18:00
Sorry Im haveing DNS issues resolveing to dellcommunity.com/ at the moment from my home ISP.
Tracing route to dellcommunity.com [208.74.204.75]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 172.25.185.1
2 25 ms 25 ms 25 ms 172.25.187.102
3 83 ms 82 ms 83 ms 172.23.10.1
4 82 ms 82 ms 85 ms 172.16.110.1
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
Pinging dellcommunity.com [208.74.204.75] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
As soon as I can access the site again I will download and run file.
Thank you again for your help!
bamajim
10.4K Posts
0
April 16th, 2008 18:00
I myself am a Malware Removal Expert,
Then you should know that it is not a good idea for more than one person to work with one poster at a time. Getting a number of people trying to fix the same infection is confusing.
I would suggest running Combofix from Safe Mode. It's usually more effective.
Not so. It may be quicker at times, depending on the infection, but has nothing to do with the effectiveness of the tool.
Having addressed these 2 items, and chosing to ignore the rest. Suffice it to say I would appreciate it if you would not interfere in the threads that I have posted the first answer to. The Hijackthis board is not a discussion forum, nor a free for all.
@Agitated
Please continue with the instructions I have provided
"The world is what you make of it"
Bugbatter
20.5K Posts
0
April 16th, 2008 18:00
Agitated
11 Posts
0
April 16th, 2008 23:00
ComboFix 08-04-15.8 - Owner 2008-04-16 17:36:36.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Desktopvirii
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Downloaded Program Files\temp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afaypnsu.dll
C:\WINDOWS\system32\eNoWDJjl.ini
C:\WINDOWS\system32\eNoWDJjl.ini2
C:\WINDOWS\system32\geBTjKDw.dll
C:\WINDOWS\system32\ljJDWoNe.dll
C:\WINDOWS\system32\mlJCVlJy.dll
C:\WINDOWS\system32\pbinlukl.dll
C:\WINDOWS\system32\phqfxwfa.dll
C:\WINDOWS\system32\rwfcnnqa.dll
C:\WINDOWS\system32\scdafodt.dll
C:\WINDOWS\system32\tdofadcs.ini
C:\WINDOWS\system32\wDKjTBeg.ini
C:\WINDOWS\system32\wDKjTBeg.ini2
C:\WINDOWS\system32\Xcite.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\Web\def.htm
.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.
2008-04-16 17:37 . 2008-04-16 17:37 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-04-16 06:20 . 2008-04-16 12:46 1,118 ---hs---- C:\WINDOWS\system32\wympeecd.ini
2008-04-16 06:17 . 2008-04-16 17:30 101,188 --a------ C:\WINDOWS\BMe7068e3c.xml
2008-04-15 22:10 . 2002-07-26 23:24
2008-04-15 22:10 . 2002-07-26 23:23
2008-04-15 22:10 . 2002-07-26 23:23
2008-04-15 22:10 . 2002-07-26 23:23
2008-04-15 22:10 . 2002-07-26 23:23
2008-04-15 22:10 . 2008-04-15 22:10
2008-04-15 06:20 . 2008-04-16 00:22 826 --ahs---- C:\WINDOWS\system32\lcdretgl.ini
2008-04-14 06:17 . 2008-04-14 06:18 2,002 --ahs---- C:\WINDOWS\system32\itlprbxh.ini
2008-04-13 01:00 . 2008-04-14 06:17 1,942 --ahs---- C:\WINDOWS\system32\bxhdbrpq.ini
2008-04-12 23:43 . 2008-04-13 00:51 766 ---hs---- C:\WINDOWS\system32\weavoqbx.ini
2008-04-12 23:38 . 2008-04-12 23:38 586 ---hs---- C:\WINDOWS\system32\quqrkhql.ini
2008-04-12 22:56 . 2008-04-12 23:24 526 ---hs---- C:\WINDOWS\system32\wceswpfe.ini
2008-04-12 00:19 . 2008-04-12 22:20 998 --ahs---- C:\WINDOWS\system32\jiddpnwm.ini
2008-04-11 00:16 . 2008-04-12 00:16 766 ---hs---- C:\WINDOWS\system32\orpyanqe.ini
2008-04-10 12:15 . 2008-04-10 12:45
2008-04-10 00:19 . 2008-04-10 17:55 414 --ahs---- C:\WINDOWS\system32\ibxdcvjj.ini
2008-04-09 00:44 . 2008-04-09 00:44
2008-04-08 21:20 . 2008-04-08 21:20 294 ---hs---- C:\WINDOWS\system32\xljglqxf.ini
2008-04-07 21:47 . 2008-04-07 21:47
2008-04-07 06:17 . 2008-04-07 17:29 474 ---hs---- C:\WINDOWS\system32\rqrxjpxo.ini
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\DesktopTrojan.Win32.BlackBird.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\DesktopFWebdEditor.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\Desktopfwebd.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\Desktopfkwp2.0.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\Desktopfkwp1.5.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\DesktopEditorFKWP2.0.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\DesktopEditorFKWP1.5.exe
2008-04-06 18:08 . 2008-04-07 12:17
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:54 --------- d-----w C:\Program Files\Three Rings Design
2008-04-13 20:11 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-04-13 06:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 06:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 05:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-10 18:02 --------- d-----w C:\Program Files\RegCure
2008-04-10 17:33 --------- d-----w C:\Program Files\Lycos
2008-03-25 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-07 00:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-06 19:25 --------- d-----w C:\Program Files\MSBuild
2008-03-06 19:13 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-06 19:09 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-02 17:09 1,728 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-02 16:40 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-02 16:37 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-02 16:04 --------- d-----w C:\Program Files\ZooVet_at
2008-03-02 05:12 86,016 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-01 05:48 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-02-19 20:23 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-02-19 20:23 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-02-19 19:44 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-02-19 19:44 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-02-19 19:44 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-02-19 19:44 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-02-19 19:44 31,408 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-02-19 19:44 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-02-19 19:44 188,464 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-02-19 19:44 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-02-19 19:44 13,021 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-02-19 19:44 1,612 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-02-12 01:49 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2006-05-13 21:01 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-10-04 02:16 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-11 20:52 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"NvCplDaemon"="NvQTwk" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 10:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 05:20 114688]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 18:39 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 23:53 714608]
"LTMSG"="LTMSG.exe" [2003-07-14 11:52 40960 C:\WINDOWS\ltmsg.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCVlJy]
mlJCVlJy.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a--c--- 2002-06-18 01:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-05-15 05:29 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-05-03 19:06 364544 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro]
--a--c--- 2005-05-14 16:14 1802240 C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-05-09 10:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 16:01]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 21:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-16 21:22:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-16 06:57:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 10:39:57 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
"2008-04-16 08:30:01 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
"2008-04-16 22:58:50 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-10 08:00:01 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-16 23:06:49 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-16 10:39:27 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 17:59:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SoftwareDistribution\Download\d61766d223927760d60364c3824ce500\update\update.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-04-16 18:22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 23:22:00
Pre-Run: 34,214,789,120 bytes free
Post-Run: 34,257,448,960 bytes free
.
2008-02-13 01:47:10 --- E O F ---
bamajim
10.4K Posts
0
April 17th, 2008 00:00
1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\wympeecd.ini
C:\WINDOWS\BMe7068e3c.xml
C:\WINDOWS\system32\lcdretgl.ini
C:\WINDOWS\system32\itlprbxh.ini
C:\WINDOWS\system32\bxhdbrpq.ini
C:\WINDOWS\system32\weavoqbx.ini
C:\WINDOWS\system32\quqrkhql.ini
C:\WINDOWS\system32\wceswpfe.ini
C:\WINDOWS\system32\jiddpnwm.ini
C:\WINDOWS\system32\orpyanqe.ini
C:\WINDOWS\system32\ibxdcvjj.ini
C:\WINDOWS\system32\xljglqxf.ini
C:\WINDOWS\system32\rqrxjpxo.ini
C:\Documents and Settings\Owner\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Owner\DesktopFWebdEditor.exe
C:\Documents and Settings\Owner\Desktopfwebd.exe
C:\Documents and Settings\Owner\Desktopfkwp2.0.exe
C:\Documents and Settings\Owner\Desktopfkwp1.5.exe
C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe
C:\Documents and Settings\Owner\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Owner\DesktopEditorFKWP1.5.exe
Folder::
C:\Documents and Settings\All Users\Application Data\atmhsfoz
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCVlJy]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop
Using the Image as a reference, drag CFScript into ComboFix.exe
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Rerun Hijackthis and post a fresh Hijackthis log as well
"The world is what you make of it"
Agitated
11 Posts
0
April 17th, 2008 01:00
Results posted in two posts.
ComboFix 08-04-15.8 - Owner 2008-04-16 20:38:57.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\Owner\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Owner\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe
C:\Documents and Settings\Owner\Desktopfkwp1.5.exe
C:\Documents and Settings\Owner\Desktopfkwp2.0.exe
C:\Documents and Settings\Owner\Desktopfwebd.exe
C:\Documents and Settings\Owner\DesktopFWebdEditor.exe
C:\Documents and Settings\Owner\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\BMe7068e3c.xml
C:\WINDOWS\system32\bxhdbrpq.ini
C:\WINDOWS\system32\ibxdcvjj.ini
C:\WINDOWS\system32\itlprbxh.ini
C:\WINDOWS\system32\jiddpnwm.ini
C:\WINDOWS\system32\lcdretgl.ini
C:\WINDOWS\system32\orpyanqe.ini
C:\WINDOWS\system32\quqrkhql.ini
C:\WINDOWS\system32\rqrxjpxo.ini
C:\WINDOWS\system32\wceswpfe.ini
C:\WINDOWS\system32\weavoqbx.ini
C:\WINDOWS\system32\wympeecd.ini
C:\WINDOWS\system32\xljglqxf.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\atmhsfoz
C:\Documents and Settings\Owner\Desktopblackbird.jpg
C:\Documents and Settings\Owner\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Owner\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe
C:\Documents and Settings\Owner\Desktopfkwp1.5.exe
C:\Documents and Settings\Owner\Desktopfkwp2.0.exe
C:\Documents and Settings\Owner\Desktopfwebd.exe
C:\Documents and Settings\Owner\DesktopFWebdEditor.exe
C:\Documents and Settings\Owner\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\BMe7068e3c.xml
C:\WINDOWS\system32\bxhdbrpq.ini
C:\WINDOWS\system32\ibxdcvjj.ini
C:\WINDOWS\system32\itlprbxh.ini
C:\WINDOWS\system32\jiddpnwm.ini
C:\WINDOWS\system32\lcdretgl.ini
C:\WINDOWS\system32\orpyanqe.ini
C:\WINDOWS\system32\quqrkhql.ini
C:\WINDOWS\system32\rqrxjpxo.ini
C:\WINDOWS\system32\wceswpfe.ini
C:\WINDOWS\system32\weavoqbx.ini
C:\WINDOWS\system32\wympeecd.ini
C:\WINDOWS\system32\xljglqxf.ini
.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.
2008-04-15 22:10 . 2002-07-26 23:24
2008-04-15 22:10 . 2002-07-26 23:23
2008-04-15 22:10 . 2002-07-26 23:23
2008-04-15 22:10 . 2002-07-26 23:23
2008-04-15 22:10 . 2002-07-26 23:23
2008-04-15 22:10 . 2008-04-15 22:10
2008-04-10 12:15 . 2008-04-10 12:45
2008-04-09 00:44 . 2008-04-09 00:44
2008-04-07 21:47 . 2008-04-07 21:47
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:54 --------- d-----w C:\Program Files\Three Rings Design
2008-04-13 20:11 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-04-13 06:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 06:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 05:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-10 18:02 --------- d-----w C:\Program Files\RegCure
2008-04-10 17:33 --------- d-----w C:\Program Files\Lycos
2008-03-25 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-07 00:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-06 19:25 --------- d-----w C:\Program Files\MSBuild
2008-03-06 19:13 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-06 19:09 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-02 16:40 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-02 16:37 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-02 16:04 --------- d-----w C:\Program Files\ZooVet_at
2008-02-19 19:44 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-02-19 19:44 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-02-19 19:44 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-02-19 19:44 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-02-19 19:44 31,408 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-02-19 19:44 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-02-19 19:44 188,464 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-02-19 19:44 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-02-19 19:44 13,021 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-02-19 19:44 1,612 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2006-05-13 21:01 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-10-04 02:16 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
Agitated
11 Posts
0
April 17th, 2008 01:00
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-11 20:52 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 10:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 05:20 114688]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 18:39 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 23:53 714608]
"LTMSG"="LTMSG.exe" [2003-07-14 11:52 40960 C:\WINDOWS\ltmsg.exe]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a--c--- 2002-06-18 01:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-05-15 05:29 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-05-03 19:06 364544 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro]
--a--c--- 2005-05-14 16:14 1802240 C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-05-09 10:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 16:01]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 21:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-17 01:22:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-16 06:57:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 10:39:57 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-04-16 08:30:01 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
"2008-04-17 01:25:25 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-10 08:00:01 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-17 01:27:19 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-16 10:39:27 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 20:49:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-04-16 21:03:51
ComboFix-quarantined-files.txt 2008-04-17 02:03:43
ComboFix2.txt 2008-04-16 23:22:53
Pre-Run: 34,106,097,664 bytes free
Post-Run: 34,094,080,000 bytes free
.
2008-04-17 00:27:23 --- E O F ---
Agitated
11 Posts
0
April 17th, 2008 01:00
Make that 3 posts still too large :).
((((((((((((((((((((((((((((( snapshot@2008-04-16_18.20.16.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2008-02-20 05:19:35 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsapi.dll
+ 2008-02-20 18:49:36 45,568 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\updspapi.dll
+ 2008-02-20 06:52:43 282,624 ----a-w C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\updspapi.dll
- 2008-04-16 22:58:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-17 01:24:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-12-07 02:21:45 124,928 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-12-19 23:01:06 347,136 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-12-07 02:21:45 214,528 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-12-07 02:21:45 133,120 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-12-06 11:00:57 70,656 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-12-07 02:21:45 153,088 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-12-07 02:21:45 230,400 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-12-06 04:59:51 161,792 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-12-07 02:21:45 384,512 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-12-07 02:21:46 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-12-06 11:01:25 625,664 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-12-07 02:21:47 27,648 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-12-08 05:21:48 3,592,192 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-12-07 02:21:47 478,208 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-12-07 02:21:48 193,024 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-12-07 02:21:48 671,232 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-12-07 02:21:48 102,912 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2008-01-11 05:53:32 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-12-07 02:21:48 105,984 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-12-07 02:21:48 1,159,680 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-12-07 02:21:48 233,472 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-12-07 02:21:48 824,832 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
- 2007-12-07 02:21:45 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-12-07 02:21:45 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-03-01 13:06:20 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 45,568 -c----w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 02:21:45 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-07 02:21:45 63,488 -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-03-01 13:06:21 63,488 -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-12-06 11:00:57 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-12-07 02:21:45 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-12-06 04:59:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-12-07 02:21:45 383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-12-07 02:21:46 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-12-07 02:21:46 267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-03-01 13:06:25 267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-12-06 11:00:58 13,824 -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-12-06 11:01:25 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-02-29 08:55:46 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-12-07 02:21:47 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 02:21:47 459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-12-07 02:21:47 52,224 -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-03-01 23:36:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 02:21:47 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 02:21:48 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 02:21:48 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 02:21:48 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-03-01 13:06:29 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-01-11 05:53:32 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 02:21:48 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-03-01 13:06:29 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-12-07 02:21:48 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-12-07 02:21:48 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-03-01 13:06:30 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 02:21:48 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 05:56:44 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 02:21:45 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-07 00:00:01 156,360 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-16 23:37:22 156,360 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-12-07 02:21:45 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-12-06 11:00:57 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-12-07 02:21:45 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-12-06 04:59:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-12-07 02:21:45 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-12-07 02:21:46 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-12-07 02:21:46 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-12-06 11:00:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-12-07 02:21:47 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-06 03:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 02:21:47 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-12-07 02:21:47 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-03-01 23:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 02:21:47 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 02:21:48 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 02:21:48 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 02:21:48 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
- 2007-12-07 02:21:48 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
- 2008-04-16 22:58:51 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
+ 2008-04-17 01:25:29 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
- 2008-04-16 22:58:51 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
+ 2008-04-17 01:25:29 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
- 2008-04-16 22:58:51 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-17 01:25:29 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
.
Agitated
11 Posts
0
April 17th, 2008 01:00
Logfile of HijackThis v1.99.1
Scan saved at 9:28:51 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://37.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://37.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177987668671
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177991148140
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
bamajim
10.4K Posts
0
April 17th, 2008 11:00
Nicely done.
1. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Download CCleaner from here to clean temp files from your computer.
2. Please perform an Ewido Online Malware Scan
"The world is what you make of it"
Agitated
11 Posts
0
April 17th, 2008 21:00
__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________
Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\Owner\Cookies\owner@ssl-hints.netflame[1].txt
Risk: Medium
Name: Adware.RXToolbar
Path: HKU\S-1-5-21-2771580065-1597234714-2502462651-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}
Risk: Medium
Name: Adware.Aws
Path: C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Risk: Medium
Name: Not-A-Virus.Adware.Virtumonde
Path: C:\QooBox\Quarantine\C\WINDOWS\system32\mlJCVlJy.dll.vir
Risk: Low
Name: Not-A-Virus.Adware.Virtumonde
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP13\A0011538.dll
Risk: Low
Name: Adware.TopSearch
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000119.exe
Risk: Medium
Name: Adware.Altnet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000123.dll
Risk: Medium
Name: Adware.P2PNet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000132.DLL
Risk: Medium
Name: Adware.P2PNet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000133.cpl
Risk: Medium
Name: Adware.P2PNet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000134.exe
Risk: Medium
Name: Adware.RXBar
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000153.dll
Risk: Medium
Name: Adware.RXToolbar
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000154.dll
Risk: Medium
Name: Adware.Altnet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000168.dll
Risk: Medium
Name: Adware.Altnet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000169.exe
Risk: Medium
Name: Not-A-Virus.Adware.Virtumonde
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000217.dll
Risk: Low
Name: Not-A-Virus.Downloader.Win32.PopCap.a
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll
Risk: Low
Name: Not-A-Virus.Downloader.Win32.PopCap.a
Path: C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Risk: Low
Name: Adware.BargainBuddy
Path: C:\WINDOWS\system32\Lycos.dll
Risk: Medium