View Full Version : someone got in through old vnc version, I think
g8tormark
2007-05-02, 23:06
My computer was hacked, I think through an old VNC problem. I found an older version running, apparently with the newer one. The log file looked like the last thing that happened prior to problems was a VNC login from 'untraceable' ip numbers. They were on my computer over a weekend transferring lots of videos, etc. and did a bunch of bragging to others. I interrupted them during some of those large xfers and managed to get into the computer. I stopped a number of processes (including psybnc, videodriver, some VNC backdoors etc. without rebooting). I did a fresh install and update from CD of mcafee, and spybot, both of which fixed alot. I then found your site. I have now done the online scan which only found files that were already in the quarantine directory. I think I am relatively free of problems now but want to get some expert advice on it. Thanks so much for helping us out. This site is a huge help!
Logfile of HijackThis v1.99.1
Scan saved at 2:34:32 PM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wm.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Palm\Palm Checkup\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\VXIpnp\WINNT\TekVISA\Bin\TEKVIS~3.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Palm Checkup.lnk = C:\Palm\Palm Checkup\bin\mpbtn.exe
O4 - Global Startup: TekVISA Resource Manager.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/233d7cdc52d9f82b0a16/netzip/RdxIE601.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: IDL DicomEx Storage SCP - Unknown owner - C:\RSI\IDL63\bin\bin.x86\idl_dicomexstorscp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ION Java Daemon 6.3 - Unknown owner - C:\RSI\IDL63\products\ion63\ion_java\bin\ion_srv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
Hello g8tormark and welcome to the Forums :)
Sorry for the delay, I noticed the post in the waiting room....
Nothing bad there...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
g8tormark
2007-05-18, 19:00
Thanks Mr_Jak3
I have done as you suggested. You will probably note from the log that since the first post I have installed the zone alarm firewall as well. The only unusual behavior I have noted currently on this machine is that today there seems to be some issue with the automatic updates for mcafee enterprise v8.50. There is no error message generated, but the dat file is not updated. Superdat updates seem to work fine. I do see that there is a similar known bug, though, so I don't know if this behavior is the result of the infection or of the known bug yet. I'll leave it alone for now.
Here are the requested logs. I think a couple of these must have been a false positive, but I had them fixed anyway.
Thanks again for the help.
regUsers.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably MACRO.Virus;Moved.;
RegUBP2b-Administrator.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
MiniBugTransporter.dll;C:\Documents and Settings\mark\Local Settings\Temp\~rnsetup\WEATHERBUG;Adware.Minibug;Moved.;
SETUP.EXE;C:\Documents and Settings\mark\My Documents\downloaded software and drivers\microsoft\Mappoint\MapPoint 2004 CD1 EUR\CD1;Probably DLOADER.Trojan;Moved.;
vncviewer.exe;C:\Documents and Settings\mark\My Documents\vnc\vnc_x86_win32\vncviewer;Program.RemoteAdmin;Moved.;
samsung.exe;C:\Program Files\FutureDial\USB Installer\Support\Drivers\Win2k\auto\samsung;Probably BACKDOOR.Trojan;Moved.;
Setup.exe;C:\Program Files\FutureDial\USB Installer\Support\Drivers\Win98\auto\samsung;Probably BACKDOOR.Trojan;Moved.;
samsung.exe;C:\Program Files\FutureDial\USB Installer\Support\Drivers\WinMe\auto\samsung;Probably BACKDOOR.Trojan;Moved.;
samsung.exe;C:\Program Files\FutureDial\USB Installer\Support\Drivers\WinXp\auto\Samsung;Probably BACKDOOR.Trojan;Moved.;
script1.ini;C:\removed\mui;Probably IRC.Virus;Moved.;
scvhost.exe;C:\removed\mui;Program.mIRC.603;Moved.;
mpx.exe;C:\removed\service;Probably DLOADER.Trojan;Moved.;
A0069520.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1294;Program.mIRC.603;Moved.;
A0069569.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1300;Program.RemoteAdmin;Moved.;
A0069571.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1300;Program.RemoteAdmin;Moved.;
A0070069.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1314;Trojan.Flashfxp;Deleted.;
A0071484.reg;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1329;Trojan.StartPage.1505;Deleted.;
Logfile of HijackThis v1.99.1
Scan saved at 11:46:53 AM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wm.exe
C:\WINDOWS\Explorer.EXE
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Palm\Palm Checkup\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\VXIpnp\WINNT\TekVISA\Bin\TEKVIS~3.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufl.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Palm Checkup.lnk = C:\Palm\Palm Checkup\bin\mpbtn.exe
O4 - Global Startup: TekVISA Resource Manager.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/233d7cdc52d9f82b0a16/netzip/RdxIE601.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: IDL DicomEx Storage SCP - Unknown owner - C:\RSI\IDL63\bin\bin.x86\idl_dicomexstorscp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ION Java Daemon 6.3 - Unknown owner - C:\RSI\IDL63\products\ion63\ion_java\bin\ion_srv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
Hello, looks better :)
We'll restore the false positives later...
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
g8tormark
2007-05-22, 20:25
I've tried this every way I can think of but I'm having some trouble. I have run the scan several times as instructed. Each time when I click the copy button, the computer locks up. I've tried a number of combinations. I even tried openning up the task manager prior to running gmer to see what was using up the resources. Even after the scan is finished, gmer appears to be using several percent of the cpu time and the system is using several percent as well. The scan seems to complete fine and I can scroll through the results, but I cannot copy them or switch to other windows. Any thoughts? I've been trying to get it to work for days :sick:
Hello :)
Ok please try if you're able to scan and save the log in safe mode.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
:bigthumb:
g8tormark
2007-05-22, 22:05
OK, I'll start the safe mode now. In the meantime, I was able to get a partial scan of by unchecking the "files" option. I'll get the full scan now in safe mode. The partial scan results are below.
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-22 14:59:33
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ F0, A1, F6, EE, 80, 04, F7, ... ]
PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP EE26A2CB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 8064D029 7 Bytes JMP EE26A307 \SystemRoot\system32\drivers\mfehidk.sys
? nwfilter.sys The system cannot find the file specified.
? srescan.sys The system cannot find the file specified.
? C:\WINDOWS\System32\DRIVERS\update.sys
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ F0, A1, F6, EE, 80, 04, F7, ... ]
PAGE ntoskrnl.exe!ObOpenObjectByName + 93C 80567CFB 5 Bytes JMP EE26A2CB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!LsaDeregisterLogonProcess + 3EEA 8064D029 7 Bytes JMP EE26A307 \SystemRoot\system32\drivers\mfehidk.sys
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe[1300] kernel32.dll!WriteFile 7C810D87 7 Bytes JMP 646A05B2 C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\mssrch.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3740] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe
---- Devices - GMER 1.0.12 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF7B8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [EEF7B8A0] vsdatant.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE ED549C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE ED5467C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ ED54260A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE ED542AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION ED54D958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION ED550821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA ED55938A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA ED558D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS ED552BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION ED553331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION ED5614F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL ED549B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL ED545948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL ED54F46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN ED56079D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL ED55FC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP ED5462FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP ED5601DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible ED55B1F9
---- EOF - GMER 1.0.12 ----
g8tormark
2007-05-23, 20:46
I've tried it twice and the gmer program also hangs up during thefile scanning portion in safe mode. It is also impossible to see the copy button due to graphics limitations, but I had that problem figured out...I just was never able to get it to run that far :sad:
g8tormark
2007-05-23, 22:59
One more piece of information...
When I ran the gmer program with just the files box checked, it returned a message saying nothing found.
summarizing, when I run gmer as you suggested I can see the results on the screen, but once I push the copy button the computer begins to respond very slowly and I cannot run any other programs. If I uncheck files, I get the log above, if I check only files, I get nothing in the log.
Thanks again for the advice :-)
Hi again and sorry for the delay.
We'll continue :)
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
g8tormark
2007-05-30, 01:11
It did take a long time, but it found a few things, as you suspected. Most of it seems to be in some old e-mail backups that were in old quarantine folders that I guess never got deleted in the backup. I'll need to do some housekeeping ;-) I've removed those to make this log file fit in the post, and am assuming that these are not the source of any of the current issues. Please let me know if you'd like to see them and I'll post them as well.
Here is the log file.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 29, 2007 5:43:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/05/2007
Kaspersky Anti-Virus database records: 329765
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 428860
Number of viruses found: 30
Number of infected objects: 391
Number of suspicious objects: 112
Duration of the scan process: 16:12:48
Infected Object Name / Virus Name / Last Action
C:\cygwin\etc\ssh_host_dsa_key Object is locked skipped
C:\cygwin\etc\ssh_host_key Object is locked skipped
C:\cygwin\etc\ssh_host_rsa_key Object is locked skipped
C:\cygwin\home\mark\.bash_history Object is locked skipped
C:\cygwin\usr\share\texmf\web2c\fmtutil.cnf.cygwin-save Object is locked skipped
C:\cygwin\usr\share\texmf\web2c\mktex.cnf.cygwin-save Object is locked skipped
C:\cygwin\usr\share\texmf\web2c\texmf.cnf.cygwin-save Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0069520.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0069569.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0069571.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\scvhost.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.18.Crwl Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.18.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\00010002.ci Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\CiST0000.000 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\DocId.Map Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h3 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.idx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Idm.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Ntfy2.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSS.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\RSApp.edb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\tmp.edb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Logs\MAPI.txt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf3.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf6.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Perflib_Perfdata_d50.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007052520070526\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\NAILogs\UpdaterUI_MISSJEWELL.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_MISSJEWELL.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_MISSJEWELL.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2338f6af8f44aac98c9f68f04b3c883c_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d05756ce52d1e2fbaabbef94afb3009_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\746ac04503e52094753488c1e626c9fb_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7e5cb0d0146d0d03417b733eaa786f9f_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\97606a38a56ecc5e5b41b37d06d53ad7_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a1a0ffed9b16c4966f4235e98f50f599_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b081cb413831816aaf738f6271057844_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c0ce8317f0bf76de16ce8c4a05db9427_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d6764cce260d908eb1fe781ae041280b_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\df11b06795ed9e41a4b8c8fefbe7a57e_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f3aef5637eef5049dc2072863bda631f_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f7a855940a90cff9c85b076a41db2b0f_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mark\.housecall6.6\Quarantine\ms0311.jar-24ad084f-5918fbd2.zip.bac_a11952/TakePrivileges.class Infected: Trojan.Java.ClassLoader.an skipped
C:\Documents and Settings\mark\.housecall6.6\Quarantine\ms0311.jar-24ad084f-5918fbd2.zip.bac_a11952/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped
C:\Documents and Settings\mark\.housecall6.6\Quarantine\ms0311.jar-24ad084f-5918fbd2.zip.bac_a11952 ZIP: infected - 2 skipped
C:\Documents and Settings\mark\.housecall6.6\Quarantine\ms0311.jar-24ad084f-5918fbd2.zip.bac_a11952 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\mark\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/07 Jun 2004 18:25 from 7327331083316015@61.174.154.157:Mail Deli.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
*****archived/quarantined emails skipped *****
****see next post for last part of log ****
g8tormark
2007-05-30, 01:12
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\gammadyne\mmail.exe/stream.seau/gmcom.exe Infected: not-a-virus:NetTool.Win32.GammadyneMail.24_3 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\gammadyne\mmail.exe/stream.seau/gmcom2.exe Infected: not-a-virus:NetTool.Win32.GammadyneMail.24_3 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\gammadyne\mmail.exe/stream.seau Infected: not-a-virus:NetTool.Win32.GammadyneMail.24_3 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\gammadyne\mmail.exe SeauSFX: infected - 3 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\mailer\mmail.exe/stream.seau/gmcom2.exe Infected: not-a-virus:NetTool.Win32.GammadyneMail.24_3 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\mailer\mmail.exe/stream.seau Infected: not-a-virus:NetTool.Win32.GammadyneMail.24_3 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\mailer\mmail.exe SeauSFX: infected - 2 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\vnc\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\vnc\vnc-3.3.3r9_x86_win32.zip ZIP: infected - 1 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\vnc\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\vnc\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\vnc\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\vnc\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\vnc\vnc-4_1_1-x86_win32.exe/data0001 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Documents and Settings\mark\My Documents\downloaded software and drivers\vnc\vnc-4_1_1-x86_win32.exe Inno: infected - 1 skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\palm\Palm Checkup\log\mpbtn.log Object is locked skipped
C:\Program Files\Gammadyne Mailer\gmcom.exe Infected: not-a-virus:NetTool.Win32.GammadyneMail.24_3 skipped
C:\Program Files\Gammadyne Mailer\gmcom2.exe Infected: not-a-virus:NetTool.Win32.GammadyneMail.24_3 skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Inbox/07 Sep 2001 13:15 from Diane Badylak:FW: from Windows, completel.eml/[From CORLISS BERINGER [mailto:beachbabie@worldnet.att.net]][Date Fri, 7 Sep 2001 03:19:14 +0000]/UNNAMED/IESHWIZ.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Inbox/07 Sep 2001 13:15 from Diane Badylak:FW: from Windows, completel.eml/[From CORLISS BERINGER [mailto:beachbabie@worldnet.att.net]][Date Fri, 7 Sep 2001 03:19:14 +0000]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Inbox/07 Sep 2001 13:15 from Diane Badylak:FW: from Windows, completel.eml Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Inbox/07 Sep 2001 13:56 from Diane Badylak:RE: from Windows, completel.eml/[From CORLISS BERINGER [mailto:beachbabie@worldnet.att.net]][Date Fri, 7 Sep 2001 03:19:14 +0000]/UNNAMED/IESHWIZ.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Inbox/07 Sep 2001 13:56 from Diane Badylak:RE: from Windows, completel.eml/[From CORLISS BERINGER [mailto:beachbabie@worldnet.att.net]][Date Fri, 7 Sep 2001 03:19:14 +0000]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Inbox/07 Sep 2001 13:56 from Diane Badylak:RE: from Windows, completel.eml Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Inbox/19 Sep 2001 03:17 from CERT Advisory:CERT Advisory CA-2001-26.eml Infected: Net-Worm.Win32.Nimda skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Sent Items/31 Aug 2001 16:37 to aalex@mse.ufl.edu:Potential virus?? FW: dat/data summary.xls.pif Infected: Email-Worm.Win32.Sircam.c skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Sent Items/04 Sep 2001 13:40 to aalex@mse.ufl.edu:More suspicious e-mails/02 Sep 2001 00:18 from user:Proposal rewrite 6/Proposal rewrite 6.doc.lnk Infected: Email-Worm.Win32.Sircam.c skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Sent Items/07 Sep 2001 13:45 to di@microfab.ufl.edu:RE: from Windows, compl.eml/[From CORLISS BERINGER [mailto:beachbabie@worldnet.att.net]][Date Fri, 7 Sep 2001 03:19:14 +0000]/UNNAMED/IESHWIZ.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Sent Items/07 Sep 2001 13:45 to di@microfab.ufl.edu:RE: from Windows, compl.eml/[From CORLISS BERINGER [mailto:beachbabie@worldnet.att.net]][Date Fri, 7 Sep 2001 03:19:14 +0000]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/Sent Items/07 Sep 2001 13:45 to di@microfab.ufl.edu:RE: from Windows, compl.eml Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders//Infected/23 Mar 1999 13:31 from Ludie Harmon:EMAIL SCAN:VIRUS ALERT! IN A/Happy99.exe Infected: Email-Worm.Win32.Happy skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders//Infected/04 May 2000 11:45 from Hayden, Todd Alan:ILOVEYOU/LOVE-LETTER-FOR-YOU.TXT.vbs Infected: Email-Worm.VBS.LoveLetter skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders//Infected/27 Aug 2001 08:31 from Christine Rollin:EMAIL SCAN:VIRUS ALERT! /MSOOBD.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders//Infected/22 Feb 2001 21:14 from Mark Davidson:Possible virus/hacker???/joke.exe Infected: Email-Worm.Win32.Hybris.b skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/old e-mails/22 Apr 1999 14:40 from Karen A Thomas:EMAIL SCAN:VIRUS ALERT! IN/clincode.doc Infected: Virus.MSWord.Groovie.b skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak/Personal Folders/old e-mails/19 May 2000 11:57 from Kathy Bergsma (by way of "Mark H. Rahmani.eml Infected: IRC-Worm.HTML.Generic skipped
C:\RECYCLER\S-1-5-21-2585546760-1163202210-2768056934-1005\Dc27.bak Mail MS Mail: infected - 18 skipped
C:\removed\service\psybnc\log\psybnc.log Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1338\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329115$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MISSJEWELL.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\mark\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\mark\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\SYSTEM32\service\psybnc\psybnc.pid Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT00b77.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT00b7b.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Thanks :-D
Hello :)
Yes the infections were in backups or emails...
How is the computer running? Any issues?
g8tormark
2007-05-30, 22:02
The computer seems OK except for the annoying issue with the cut/paste in the gmer. Nothing in gmer was flagged as a rootkit, however. Does it automagically recognize common rootkits?
The only thing I'm seeing that concerns me a bit is that the zone alarm firewall is occasionally blocking outbound packets to my webmail server from port 2568. This seems a bit strange to me, but I suppose harmless if the firewall is blocking it. I just don't like the idea of unwanted background stuff.
There are, of course, roughly a gugillion incoming scans getting blocked but that is pretty normal for a network like this. There is about to be another layer of firewall between here and the world. Just something else to maintain, but I supose it is easier in the long run than fixing the aftermath.
Thanks sooooooo much for your help.
Mark
:bigthumb:
You're very welcome :)
Yes GMER is a pretty good rootkit detector.
Yes it is normal that firewall blocks those things...You know that the firewall is working :)
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)