View Full Version : Smitfraud C-core Service/Virtumonde
tkhang81
2007-07-06, 18:36
Hello,
I'm hoping you guys can help me out here. My father just bought a business and kept complaining that the office computer is infected. Over the weekend I installed spybot on the system and it flagged two problems, Smitfraud and Virtumonde. Spybot is not able to delete these two issues at all. The HJT report is as follows:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:47:55 AM, on 7/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\ACS\Back office\Platform\BatchService.exe
C:\ACS\Server\Bin\NCRReceiveUpdatesSvc.exe
c:\ACS\Back office\Platform\SILService.exe
C:\ACS\Server\Bin\tm.exe
C:\WINNT\U2llcnJhIE5ldmFkYSBDYXNoIFJlZ2lzdGVy\command.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\ACS\Back Office\Platform\ASWRegistrationService.exe
C:\ACS\Server\Bin\cswitch.exe
C:\ACS\Server\Bin\tms32.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ACS\Binn\sqlservr.exe
C:\ACS\Loader\Programs\acsapsrv.exe
C:\Program Files\NCR\FitClient\NCRTFTPs.exe
C:\Program Files\NCR\FitClient\FitClientLoader.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\ACS\Server\Bin\aup.exe
C:\ACS\Server\Bin\svcupdate.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\RunDll32.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\TEMP\cks3.tmp
C:\WINNT\System32\dns.exe
C:\ACS\Server\Bin\closemgr.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Server\Bin\DeptReptExt.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\ACS\Server\Bin\posoffl.exe
c:\acs\Loader\Programs\acsapsrv.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\system32\msdtc.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Back office\Platform\TLogAccumulator.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Server\Bin\cmhost.exe
C:\ACS\server\bin\cmhostctf.exe
C:\ACS\Server\Bin\cmol.exe
c:\acs\Loader\Programs\acsapsrv.exe
C:\ACS\Loader\Programs\acsapsrv.exe
C:\ACS\Server\Bin\drpurge.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Server\Bin\acsproc.exe
C:\ACS\Server\Bin\MRMServer.exe
C:\ACS\Server\Bin\mrmSqlServer.exe
C:\ACS\Server\Bin\PLUExceptionExtractHost.exe
C:\ACS\Server\Bin\resmgr.exe
C:\ACS\Server\Bin\logmgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ACS\Binn\sqlagent.EXE
C:\ACS\Server\Bin\accmgr.exe
C:\ACS\Server\Bin\iftrpmgr.exe
C:\ACS\Server\Bin\corrmgr.exe
C:\ACS\Server\Bin\clubctf.exe
C:\ACS\Server\Bin\offmgr.exe
C:\ACS\Server\Bin\cmctf.exe
C:\ACS\Server\Bin\sopup.exe
C:\ACS\Server\Bin\hostmgr.exe
C:\ACS\Server\Bin\casmgr.exe
C:\WINNT\Explorer.EXE
C:\ACS\Server\Bin\timemgr.exe
C:\ACS\Server\Bin\sreqpipe.exe
C:\ACS\Server\Bin\srsppipe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\COMMON~1\rmku\rmkum.exe
C:\Program Files\Lynk\Integra\LynkIntegraServer.exe
C:\Program Files\Lynk\Integra\LynkIntegraClient.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\ACS\Back office\Platform\ASWShell.exe
C:\WINNT\system32\o02PrEz\o02PrEz1065.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINNT\explorer.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Administrator\Desktop\spywareblastersetup351.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-CLDEB.tmp\is-PAVTT.tmp
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\PROGRA~1\COMMON~1\rmku\rmkua.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A0D7F1D-BC3E-4BD8-9442-11FB2D0332AA} - C:\Program Files\WindowsUpdate\vixylex.dll
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINNT\system32\urqnkji.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINNT\system32\ecptiyec.dll
O2 - BHO: (no name) - {6DD5F76E-FEAC-4343-9B5F-0E206296C73A} - C:\Program Files\WindowsUpdate\vixylex.dll
O2 - BHO: 0 - {7E125488-0D86-4490-908B-65EC811F44CC} - C:\Program Files\Accessories\zykifuzit.dll
O2 - BHO: (no name) - {B80D9931-0D93-42D0-96F3-8B0672CA7FA0} - C:\WINNT\system32\naoqqxay.dll
O2 - BHO: (no name) - {DBC7BB3A-CB27-4E2A-B62C-2E96A5A22BF7} - C:\WINNT\system32\naoqqxay.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\Administrator\Local Settings\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F9DA6EF604776CA6C1637FB11E3C281231B2CCE7003
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINNT\system32\xvjpegsa.dll",realset
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\RunOnce: [RemoveInstallPath] cmd.exe C:\WINNT\system32\cmd.exe /c rmdir /S /Q "C:\PROGRA~1\WinPop" > nul
O4 - HKLM\..\RunOnce: [SpybotDeletingA1239] command /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7143] cmd /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1210] command /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC464] cmd /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8629] command /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2632] cmd /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA567] command /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2685] cmd /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3499] command /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5718] cmd /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9249] command /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1004] cmd /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9463] command /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5415] cmd /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1991] command /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7793] cmd /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\190\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [rmku] C:\PROGRA~1\COMMON~1\rmku\rmkum.exe
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7433] command /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1074] cmd /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7485] command /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3228] cmd /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3247] command /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1011] cmd /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4921] command /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8518] cmd /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6488] command /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2947] cmd /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2232] command /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD210] cmd /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3123] command /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3778] cmd /c del "C:\WINNT\system32\gebya.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8890] command /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7907] cmd /c del "C:\WINNT\system32\ddayy.dll_tobedeleted_old_tobedeleted_old_tobedeleted_old_tobedeleted_old"
O4 - .DEFAULT Startup: TA_Start.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\TICHD003.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\TICHD003.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lynk Integra Server.LNK = C:\Program Files\Lynk\Integra\LynkIntegraServer.exe
O4 - Global Startup: LynkIntegraClient.LNK = C:\Program Files\Lynk\Integra\LynkIntegraClient.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8771438C-67D3-4436-A649-0E405C31E072}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9104A1FA-F3D6-4354-90B3-A3A4C9014955}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA535FC1-FBEF-4407-9755-E0470966C8B5}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: urqnkji - C:\WINNT\SYSTEM32\urqnkji.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: ACS Batch Service - - c:\ACS\Back office\Platform\BatchService.exe
O23 - Service: ACS Receive Updates - NCR - C:\ACS\Server\Bin\NCRReceiveUpdatesSvc.exe
O23 - Service: ACS SIL Service - - c:\ACS\Back office\Platform\SILService.exe
O23 - Service: ACS Task Manager - NCR - C:\ACS\Server\Bin\tm.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Application Load Server (NCR Application Load Server) - NCR - C:\ACS\Loader\Programs\acsapsrv.exe
O23 - Service: NCR TFTP Service - NCR - C:\Program Files\NCR\FitClient\NCRTFTPs.exe
O23 - Service: NCR FitClient Loader (NCRFitClientLoader) - NCR - C:\Program Files\NCR\FitClient\FitClientLoader.exe
O23 - Service: RSH Daemon (rshd) - Unknown owner - C:\scot\bin\rshd.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SvcUpdate - NCR - C:\ACS\Server\Bin\svcupdate.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\disososys.html
--
End of file - 15844 bytes
Any thoughts are appreciated!!
random/random
2007-07-06, 21:26
Download the latest version of ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
tkhang81
2007-07-09, 17:47
So I did the scans and the following logs are:
Combofix log:
"Administrator" - 2007-07-08 20:04:54 - ComboFix 07-07-04.4 - Service Pack 4
((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))
2007-07-08 08:12 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_cbc.dat
2007-07-07 20:28 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_448.dat
2007-07-06 14:58 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-05 13:38 241,904 --a------ C:\WINNT\UNBOC.EXE
2007-07-05 13:38 208,896 --a------ C:\WINNT\CMDLIC.DLL
2007-07-05 13:38 <DIR> d-------- C:\Program Files\Comodo
2007-07-05 13:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BOC424
2007-07-05 09:30 <DIR> d--h----- C:\WINNT\PIF
2007-07-04 20:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_e78.dat
2007-07-04 20:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_680.dat
2007-07-04 20:14 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_450.dat
2007-06-21 08:09 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_460.dat
2007-06-17 16:07 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_ac4.dat
2007-06-17 15:25 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_620.dat
2007-06-17 15:12 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_400.dat
2007-06-15 08:26 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6e0.dat
2007-06-15 08:23 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_494.dat
2007-06-13 11:45 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_eb4.dat
2007-06-13 09:34 353 --ahs---- C:\WINNT\system32\hjllm.ini2
2007-06-13 08:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6c0.dat
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-08 15:09:40 -------- d-----w C:\Program Files\Common Files\rmku
2007-07-08 03:26:19 -------- d--ha-w C:\Program Files\WindowsUpdate
2007-07-08 03:19:59 -------- d---a-w C:\Program Files\Accessories
2007-06-08 00:55:08 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-06-06 15:15:36 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_4a0.dat
2007-06-06 03:27:03 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_f50.dat
2007-06-06 03:26:44 14,868 ----a-w C:\WINNT\system32\betkhdep.exe
2007-06-06 03:26:35 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_6c8.dat
2007-06-06 03:19:25 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_454.dat
2007-05-26 14:33:54 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_e9c.dat
2007-05-26 06:13:42 217 ----a-w C:\WINNT\rayiou.exe
2007-05-26 06:13:39 -------- d-----w C:\Program Files\WinTouch
2007-05-26 03:28:23 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_81c.dat
2007-05-25 15:25:44 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_f48.dat
2007-05-25 15:18:18 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_490.dat
2007-05-24 15:28:36 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_eb0.dat
2007-05-22 21:26:33 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\SpywareBot
2007-05-14 21:39:11 65,045 ----a-w C:\WINNT\b138.exe
2007-05-10 16:53:42 -------- d-----w C:\Program Files\DivX
2007-05-09 10:09:42 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_438.dat
2007-05-02 18:04:23 524,288 ----a-w C:\WINNT\system32\DivXsm.exe
2007-05-02 18:04:19 3,596,288 ----a-w C:\WINNT\system32\qt-dx331.dll
2007-05-02 18:04:14 129,784 ----a-w C:\WINNT\system32\pxafs.dll
2007-05-02 18:04:14 118,520 ----a-w C:\WINNT\system32\pxinsi64.exe
2007-05-02 18:04:14 116,472 ----a-w C:\WINNT\system32\pxcpyi64.exe
2007-05-02 18:04:06 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2007-05-02 18:04:05 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-05-02 18:02:06 73,728 ----a-w C:\WINNT\system32\dpl100.dll
2007-05-02 18:02:06 196,608 ----a-w C:\WINNT\system32\dtu100.dll
2007-05-02 18:02:04 53,248 ----a-w C:\WINNT\system32\dpuGUI10.dll
2007-05-02 18:02:02 593,920 ----a-w C:\WINNT\system32\dpuGUI11.dll
2007-05-02 18:02:02 57,344 ----a-w C:\WINNT\system32\dpv11.dll
2007-05-02 18:02:02 344,064 ----a-w C:\WINNT\system32\dpus11.dll
2007-05-02 18:02:02 294,912 ----a-w C:\WINNT\system32\dpu11.dll
2007-05-02 18:02:02 294,912 ----a-w C:\WINNT\system32\dpu10.dll
2007-05-02 18:01:56 823,296 ----a-w C:\WINNT\system32\divx_xx0c.dll
2007-05-02 18:01:56 823,296 ----a-w C:\WINNT\system32\divx_xx07.dll
2007-05-02 18:01:56 802,816 ----a-w C:\WINNT\system32\divx_xx11.dll
2007-05-02 18:01:56 740,442 ----a-w C:\WINNT\system32\DivX.dll
2007-05-02 02:33:57 12,288 ----a-w C:\WINNT\system32\DivXWMPExtType.dll
2007-05-02 02:33:56 124,472 ----a-w C:\WINNT\system32\DivXCodecUpdateChecker.exe
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-17 05:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-15 01:51:11 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_434.dat
2007-04-13 02:48:18 327,952 ----a-w C:\WINNT\system32\DNS.EXE
2007-04-11 15:25:43 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_134.dat
2007-04-11 15:19:07 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_43c.dat
2005-08-02 23:46:54 187,904 --sha-r C:\WINNT\U2llcnJhIE5ldmFkYSBDYXNoIFJlZ2lzdGVy_VIRUS_delete\asappsrv.dll
2005-07-29 23:24:26 472 --sha-r C:\WINNT\U2llcnJhIE5ldmFkYSBDYXNoIFJlZ2lzdGVy_VIRUS_delete\oZ55wBL1KHc5xAI4sm1GsrhCKIL5tZ5Wx3pV.vbs
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
04-01-07 13:32 272983 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
06-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A0D7F1D-BC3E-4BD8-9442-11FB2D0332AA}]
07-04-06 12:27 139264 --a------ C:\Program Files\WindowsUpdate\vixylex.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DD5F76E-FEAC-4343-9B5F-0E206296C73A}]
07-04-06 12:27 139264 --a------ C:\Program Files\WindowsUpdate\vixylex.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [03-07-14 12:30 ]
"BOC-424"="C:\PROGRA~1\Comodo\CBOClean\BOC424.exe" [07-06-14 09:28 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [05-01-04 11:50 ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [04-08-10 12:42 ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Accessories\disososys.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages FPNWCLNT RASSFM KDCSVC scecli
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
Contents of the 'Scheduled Tasks' folder
2007-07-07 10:00:00 C:\WINNT\tasks\SpywareBot Scheduled Scan.job
**************************************************************************
disk not found C:\
scanning hidden processes ...
scanning hidden autostart entries ...
**************************************************************************
Completion time: 2007-07-08 20:08:07
C:\ComboFix-quarantined-files.txt ... 07-07-08 20:07
--- E O F ---
tkhang81
2007-07-09, 17:47
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 08:43, on 2007-07-09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\ACS\Back office\Platform\BatchService.exe
C:\ACS\Server\Bin\NCRReceiveUpdatesSvc.exe
c:\ACS\Back office\Platform\SILService.exe
C:\ACS\Server\Bin\tm.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ACS\Binn\sqlservr.exe
C:\ACS\Loader\Programs\acsapsrv.exe
C:\ACS\Back Office\Platform\ASWRegistrationService.exe
C:\ACS\Server\Bin\cswitch.exe
C:\Program Files\NCR\FitClient\NCRTFTPs.exe
C:\ACS\Server\Bin\tms32.exe
C:\Program Files\NCR\FitClient\FitClientLoader.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\ACS\Server\Bin\svcupdate.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\RunDll32.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\TEMP\cks1.tmp
C:\WINNT\System32\ismserv.exe
C:\WINNT\system32\msdtc.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ACS\Binn\sqlagent.EXE
C:\ACS\Server\Bin\aup.exe
C:\ACS\Server\Bin\closemgr.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Server\Bin\DeptReptExt.exe
C:\ACS\Server\Bin\posoffl.exe
c:\acs\Loader\Programs\acsapsrv.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Back office\Platform\TLogAccumulator.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\server\bin\cmhostctf.exe
C:\ACS\Server\Bin\cmol.exe
c:\acs\Loader\Programs\acsapsrv.exe
C:\ACS\Loader\Programs\acsapsrv.exe
C:\ACS\Server\Bin\drpurge.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Server\Bin\acsproc.exe
C:\ACS\Server\Bin\MRMServer.exe
C:\ACS\Server\Bin\mrmSqlServer.exe
C:\ACS\Server\Bin\PLUExceptionExtractHost.exe
C:\ACS\Server\Bin\resmgr.exe
C:\ACS\Server\Bin\logmgr.exe
C:\ACS\Server\Bin\accmgr.exe
C:\ACS\Server\Bin\iftrpmgr.exe
C:\ACS\Server\Bin\cmhost.exe
C:\ACS\Server\Bin\corrmgr.exe
C:\ACS\Server\Bin\offmgr.exe
C:\ACS\Server\Bin\hostmgr.exe
C:\ACS\Server\Bin\clubctf.exe
C:\ACS\Server\Bin\casmgr.exe
C:\ACS\Server\Bin\sopup.exe
C:\ACS\Server\Bin\cmctf.exe
C:\ACS\Server\Bin\timemgr.exe
C:\ACS\Server\Bin\sreqpipe.exe
C:\ACS\Server\Bin\srsppipe.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Citrix\GoToMeeting\190\g2mstart.exe
C:\Program Files\Lynk\Integra\LynkIntegraClient.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Citrix\GoToMeeting\190\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\190\g2mlauncher.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\explorer.exe
C:\ACS\Back office\Platform\ASWShell.exe
C:\Program Files\Lynk\Integra\LynkIntegraServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A0D7F1D-BC3E-4BD8-9442-11FB2D0332AA} - C:\Program Files\WindowsUpdate\vixylex.dll
O2 - BHO: (no name) - {6DD5F76E-FEAC-4343-9B5F-0E206296C73A} - C:\Program Files\WindowsUpdate\vixylex.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lynk Integra Server.LNK = C:\Program Files\Lynk\Integra\LynkIntegraServer.exe
O4 - Global Startup: LynkIntegraClient.LNK = C:\Program Files\Lynk\Integra\LynkIntegraClient.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8771438C-67D3-4436-A649-0E405C31E072}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9104A1FA-F3D6-4354-90B3-A3A4C9014955}: NameServer = 127.0.0.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: ACS Batch Service - - c:\ACS\Back office\Platform\BatchService.exe
O23 - Service: ACS Receive Updates - NCR - C:\ACS\Server\Bin\NCRReceiveUpdatesSvc.exe
O23 - Service: ACS SIL Service - - c:\ACS\Back office\Platform\SILService.exe
O23 - Service: ACS Task Manager - NCR - C:\ACS\Server\Bin\tm.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Application Load Server (NCR Application Load Server) - NCR - C:\ACS\Loader\Programs\acsapsrv.exe
O23 - Service: NCR TFTP Service - NCR - C:\Program Files\NCR\FitClient\NCRTFTPs.exe
O23 - Service: NCR FitClient Loader (NCRFitClientLoader) - NCR - C:\Program Files\NCR\FitClient\FitClientLoader.exe
O23 - Service: RSH Daemon (rshd) - Unknown owner - C:\scot\bin\rshd.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SvcUpdate - NCR - C:\ACS\Server\Bin\svcupdate.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\disososys.html
--
End of file - 8489 bytes
random/random
2007-07-09, 19:27
Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
File::
C:\WINNT\system32\hjllm.ini2
C:\WINNT\rayiou.exe
C:\WINNT\b138.exe
C:\Program Files\Accessories\disososys.html
Folder::
C:\Program Files\WindowsUpdate
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A0D7F1D-BC3E-4BD8-9442-11FB2D0332AA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DD5F76E-FEAC-4343-9B5F-0E206296C73A}]
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as ComboFix-Do.txt
Now drag and drop ComboFix-Do.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
tkhang81
2007-07-10, 17:02
"Administrator" - 2007-07-09 20:07:55 - ComboFix 07-07-04.4 - Service Pack 4
Command switches used :: C:\Documents and Settings\Administrator\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\WindowsUpdate
C:\Program Files\WindowsUpdate\V4\iuhist.xml
C:\Program Files\WindowsUpdate\vixylex.dll
C:\WINNT\b138.exe
C:\WINNT\rayiou.exe
C:\WINNT\system32\hjllm.ini2
((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))
2007-07-08 20:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-08 08:12 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_cbc.dat
2007-07-07 20:28 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_448.dat
2007-07-06 14:58 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-05 13:38 241,904 --a------ C:\WINNT\UNBOC.EXE
2007-07-05 13:38 208,896 --a------ C:\WINNT\CMDLIC.DLL
2007-07-05 13:38 <DIR> d-------- C:\Program Files\Comodo
2007-07-05 13:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BOC424
2007-07-05 09:30 <DIR> d--h----- C:\WINNT\PIF
2007-07-04 20:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_e78.dat
2007-07-04 20:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_680.dat
2007-07-04 20:14 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_450.dat
2007-06-21 08:09 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_460.dat
2007-06-17 16:07 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_ac4.dat
2007-06-17 15:25 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_620.dat
2007-06-17 15:12 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_400.dat
2007-06-15 08:26 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6e0.dat
2007-06-15 08:23 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_494.dat
2007-06-13 11:45 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_eb4.dat
2007-06-13 08:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6c0.dat
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-08 15:09:40 -------- d-----w C:\Program Files\Common Files\rmku
2007-07-08 03:19:59 -------- d---a-w C:\Program Files\Accessories
2007-06-08 00:55:08 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-06-06 15:15:36 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_4a0.dat
2007-06-06 03:27:03 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_f50.dat
2007-06-06 03:26:44 14,868 ----a-w C:\WINNT\system32\betkhdep.exe
2007-06-06 03:26:35 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_6c8.dat
2007-06-06 03:19:25 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_454.dat
2007-05-26 14:33:54 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_e9c.dat
2007-05-26 06:13:39 -------- d-----w C:\Program Files\WinTouch
2007-05-26 03:28:23 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_81c.dat
2007-05-25 15:25:44 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_f48.dat
2007-05-25 15:18:18 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_490.dat
2007-05-24 15:28:36 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_eb0.dat
2007-05-22 21:26:33 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\SpywareBot
2007-05-10 16:53:42 -------- d-----w C:\Program Files\DivX
2007-05-09 10:09:42 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_438.dat
2007-05-02 18:04:23 524,288 ----a-w C:\WINNT\system32\DivXsm.exe
2007-05-02 18:04:19 3,596,288 ----a-w C:\WINNT\system32\qt-dx331.dll
2007-05-02 18:04:14 129,784 ----a-w C:\WINNT\system32\pxafs.dll
2007-05-02 18:04:14 118,520 ----a-w C:\WINNT\system32\pxinsi64.exe
2007-05-02 18:04:14 116,472 ----a-w C:\WINNT\system32\pxcpyi64.exe
2007-05-02 18:04:06 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2007-05-02 18:04:05 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-05-02 18:02:06 73,728 ----a-w C:\WINNT\system32\dpl100.dll
2007-05-02 18:02:06 196,608 ----a-w C:\WINNT\system32\dtu100.dll
2007-05-02 18:02:04 53,248 ----a-w C:\WINNT\system32\dpuGUI10.dll
2007-05-02 18:02:02 593,920 ----a-w C:\WINNT\system32\dpuGUI11.dll
2007-05-02 18:02:02 57,344 ----a-w C:\WINNT\system32\dpv11.dll
2007-05-02 18:02:02 344,064 ----a-w C:\WINNT\system32\dpus11.dll
2007-05-02 18:02:02 294,912 ----a-w C:\WINNT\system32\dpu11.dll
2007-05-02 18:02:02 294,912 ----a-w C:\WINNT\system32\dpu10.dll
2007-05-02 18:01:56 823,296 ----a-w C:\WINNT\system32\divx_xx0c.dll
2007-05-02 18:01:56 823,296 ----a-w C:\WINNT\system32\divx_xx07.dll
2007-05-02 18:01:56 802,816 ----a-w C:\WINNT\system32\divx_xx11.dll
2007-05-02 18:01:56 740,442 ----a-w C:\WINNT\system32\DivX.dll
2007-05-02 02:33:57 12,288 ----a-w C:\WINNT\system32\DivXWMPExtType.dll
2007-05-02 02:33:56 124,472 ----a-w C:\WINNT\system32\DivXCodecUpdateChecker.exe
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-17 05:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-15 01:51:11 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_434.dat
2007-04-13 02:48:18 327,952 ----a-w C:\WINNT\system32\DNS.EXE
2007-04-11 15:25:43 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_134.dat
2007-04-11 15:19:07 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_43c.dat
2005-08-02 23:46:54 187,904 --sha-r C:\WINNT\U2llcnJhIE5ldmFkYSBDYXNoIFJlZ2lzdGVy_VIRUS_delete\asappsrv.dll
2005-07-29 23:24:26 472 --sha-r C:\WINNT\U2llcnJhIE5ldmFkYSBDYXNoIFJlZ2lzdGVy_VIRUS_delete\oZ55wBL1KHc5xAI4sm1GsrhCKIL5tZ5Wx3pV.vbs
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
04-01-07 13:32 272983 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
06-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [03-07-14 12:30 ]
"BOC-424"="C:\PROGRA~1\Comodo\CBOClean\BOC424.exe" [07-06-14 09:28 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [05-01-04 11:50 ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [04-08-10 12:42 ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages FPNWCLNT RASSFM KDCSVC scecli
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN
*Newly Created Service* - CATCHME
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
Contents of the 'Scheduled Tasks' folder
2007-07-09 10:00:00 C:\WINNT\tasks\SpywareBot Scheduled Scan.job
**************************************************************************
disk not found C:\
scanning hidden processes ...
scanning hidden autostart entries ...
**************************************************************************
Completion time: 2007-07-09 20:10:21
C:\ComboFix-quarantined-files.txt ... 07-07-09 20:09
C:\ComboFix2.txt ... 07-07-08 20:08
--- E O F ---
tkhang81
2007-07-10, 17:03
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:13, on 2007-07-09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\ACS\Back office\Platform\BatchService.exe
C:\ACS\Server\Bin\NCRReceiveUpdatesSvc.exe
c:\ACS\Back office\Platform\SILService.exe
C:\ACS\Server\Bin\tm.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ACS\Binn\sqlservr.exe
C:\ACS\Loader\Programs\acsapsrv.exe
C:\ACS\Back Office\Platform\ASWRegistrationService.exe
C:\ACS\Server\Bin\cswitch.exe
C:\Program Files\NCR\FitClient\NCRTFTPs.exe
C:\ACS\Server\Bin\tms32.exe
C:\Program Files\NCR\FitClient\FitClientLoader.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\ACS\Server\Bin\svcupdate.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\RunDll32.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\TEMP\cks1.tmp
C:\WINNT\System32\ismserv.exe
C:\WINNT\system32\msdtc.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ACS\Binn\sqlagent.EXE
C:\ACS\Server\Bin\aup.exe
C:\ACS\Server\Bin\closemgr.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Server\Bin\DeptReptExt.exe
C:\ACS\Server\Bin\posoffl.exe
c:\acs\Loader\Programs\acsapsrv.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Back office\Platform\TLogAccumulator.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\server\bin\cmhostctf.exe
C:\ACS\Server\Bin\cmol.exe
c:\acs\Loader\Programs\acsapsrv.exe
C:\ACS\Loader\Programs\acsapsrv.exe
C:\ACS\Server\Bin\drpurge.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Server\Bin\acsproc.exe
C:\ACS\Server\Bin\MRMServer.exe
C:\ACS\Server\Bin\mrmSqlServer.exe
C:\ACS\Server\Bin\PLUExceptionExtractHost.exe
C:\ACS\Server\Bin\resmgr.exe
C:\ACS\Server\Bin\logmgr.exe
C:\ACS\Server\Bin\accmgr.exe
C:\ACS\Server\Bin\iftrpmgr.exe
C:\ACS\Server\Bin\cmhost.exe
C:\ACS\Server\Bin\corrmgr.exe
C:\ACS\Server\Bin\offmgr.exe
C:\ACS\Server\Bin\hostmgr.exe
C:\ACS\Server\Bin\clubctf.exe
C:\ACS\Server\Bin\casmgr.exe
C:\ACS\Server\Bin\sopup.exe
C:\ACS\Server\Bin\cmctf.exe
C:\ACS\Server\Bin\timemgr.exe
C:\ACS\Server\Bin\sreqpipe.exe
C:\ACS\Server\Bin\srsppipe.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Citrix\GoToMeeting\190\g2mstart.exe
C:\Program Files\Lynk\Integra\LynkIntegraClient.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Citrix\GoToMeeting\190\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\190\g2mlauncher.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Lynk\Integra\LynkIntegraServer.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lynk Integra Server.LNK = C:\Program Files\Lynk\Integra\LynkIntegraServer.exe
O4 - Global Startup: LynkIntegraClient.LNK = C:\Program Files\Lynk\Integra\LynkIntegraClient.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8771438C-67D3-4436-A649-0E405C31E072}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9104A1FA-F3D6-4354-90B3-A3A4C9014955}: NameServer = 127.0.0.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: ACS Batch Service - - c:\ACS\Back office\Platform\BatchService.exe
O23 - Service: ACS Receive Updates - NCR - C:\ACS\Server\Bin\NCRReceiveUpdatesSvc.exe
O23 - Service: ACS SIL Service - - c:\ACS\Back office\Platform\SILService.exe
O23 - Service: ACS Task Manager - NCR - C:\ACS\Server\Bin\tm.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Application Load Server (NCR Application Load Server) - NCR - C:\ACS\Loader\Programs\acsapsrv.exe
O23 - Service: NCR TFTP Service - NCR - C:\Program Files\NCR\FitClient\NCRTFTPs.exe
O23 - Service: NCR FitClient Loader (NCRFitClientLoader) - NCR - C:\Program Files\NCR\FitClient\FitClientLoader.exe
O23 - Service: RSH Daemon (rshd) - Unknown owner - C:\scot\bin\rshd.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SvcUpdate - NCR - C:\ACS\Server\Bin\svcupdate.exe
--
End of file - 8103 bytes
random/random
2007-07-10, 20:54
Go here (http://www.kaspersky.com/virusscanner) to run an online scannner from Kaspersky.
Click on "Kaspersky Online Scanner"
A new smaller window will pop up. Press on "Accept". After reading the contents.
Now Kaspersky will update the anti-virus database. Let it run.
Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
Then click on "My Computer", and the scan will start.
Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post back with the kaspersky log, a new HijackThis log & let me know of any remaining problems
tkhang81
2007-07-11, 01:04
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-07-10 15:59
Operating System: Microsoft Windows 2000, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/07/2007
Kaspersky Anti-Virus database records: 360559
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 26580
Number of viruses found: 40
Number of infected objects: 77 / 0
Number of suspicious objects: 2
Duration of the scan process: 00:46:40
Infected Object Name / Virus Name / Last Action
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\batch.mdf Object is locked skipped
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\batch_log.ldf Object is locked skipped
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\customer.mdf Object is locked skipped
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\customer_log.ldf Object is locked skipped
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\deptData.mdf Object is locked skipped
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\deptData_log.ldf Object is locked skipped
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\ej.mdf Object is locked skipped
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\ej_log.ldf Object is locked skipped
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\item.mdf Object is locked skipped
C:\ACS\Back office\MSDE\MSSQL$ACS\Data\item_log.ldf Object is locked skipped
C:\ACS\Back office\Platform\ASWShell.ldb Object is locked skipped
C:\ACS\Back office\Platform\ASWShell.MDB Object is locked skipped
C:\ACS\Loader\logs\acsapsrv.log Object is locked skipped
C:\ACS\Loader\logs\nodes.xml Object is locked skipped
C:\ACS\Loader\logs\PluMirror.log Object is locked skipped
C:\ACS\Loader\logs\service.log Object is locked skipped
C:\ACS\Loader\logs\TlogMirror.log Object is locked skipped
C:\ACS\server\data\.001 Object is locked skipped
C:\ACS\server\data\accmgr.log Object is locked skipped
C:\ACS\server\data\ASPOOL Object is locked skipped
C:\ACS\server\data\CACC Object is locked skipped
C:\ACS\server\data\CASEOD Object is locked skipped
C:\ACS\server\data\CASFIL Object is locked skipped
C:\ACS\server\data\CASLOG Object is locked skipped
C:\ACS\server\data\casmgr.log Object is locked skipped
C:\ACS\server\data\CCMOPS Object is locked skipped
C:\ACS\server\data\CCMPAC Object is locked skipped
C:\ACS\server\data\CDEPT Object is locked skipped
C:\ACS\server\data\CEXPT Object is locked skipped
C:\ACS\server\data\CLBHIS.024 Object is locked skipped
C:\ACS\server\data\CLOST Object is locked skipped
C:\ACS\server\data\CMFILE Object is locked skipped
C:\ACS\server\data\CMISC Object is locked skipped
C:\ACS\server\data\cmMidway.log Object is locked skipped
C:\ACS\server\data\CMOVE Object is locked skipped
C:\ACS\server\data\CMQGLB Object is locked skipped
C:\ACS\server\data\CMQLOC Object is locked skipped
C:\ACS\server\data\CMUDC.191 Object is locked skipped
C:\ACS\server\data\CMUDCH Object is locked skipped
C:\ACS\server\data\COFF Object is locked skipped
C:\ACS\server\data\COPERC Object is locked skipped
C:\ACS\server\data\COPERD Object is locked skipped
C:\ACS\server\data\COPERT Object is locked skipped
C:\ACS\server\data\corrmgr.log Object is locked skipped
C:\ACS\server\data\CREST Object is locked skipped
C:\ACS\server\data\CSTRE Object is locked skipped
C:\ACS\server\data\CSTRPR Object is locked skipped
C:\ACS\server\data\CTALLY Object is locked skipped
C:\ACS\server\data\CTEND Object is locked skipped
C:\ACS\server\data\CTERMC Object is locked skipped
C:\ACS\server\data\CTERMD Object is locked skipped
C:\ACS\server\data\CTERMO Object is locked skipped
C:\ACS\server\data\CTERMT Object is locked skipped
C:\ACS\server\data\CTFDIR Object is locked skipped
C:\ACS\server\data\CTFRST Object is locked skipped
C:\ACS\server\data\DUPRCP Object is locked skipped
C:\ACS\server\data\EFTERR Object is locked skipped
C:\ACS\server\data\EFTIDX Object is locked skipped
C:\ACS\server\data\EFTLOG.061 Object is locked skipped
C:\ACS\server\data\EFTLWK Object is locked skipped
C:\ACS\server\data\EFTOAC.061 Object is locked skipped
C:\ACS\server\data\EFTOFF Object is locked skipped
C:\ACS\server\data\EFTONO.061 Object is locked skipped
C:\ACS\server\data\EFTPFF.061 Object is locked skipped
C:\ACS\server\data\EFTRCP.061 Object is locked skipped
C:\ACS\server\data\EFTREJ.061 Object is locked skipped
C:\ACS\server\data\EFTSAC.061 Object is locked skipped
C:\ACS\server\data\EFTTAC.061 Object is locked skipped
C:\ACS\server\data\EFTTNO.061 Object is locked skipped
C:\ACS\server\data\Exment.281 Object is locked skipped
C:\ACS\server\data\EXMPAR Object is locked skipped
C:\ACS\server\data\FILLST Object is locked skipped
C:\ACS\server\data\gdblconf.dat Object is locked skipped
C:\ACS\server\data\gdbmdist.000 Object is locked skipped
C:\ACS\server\data\gdbmdist.001 Object is locked skipped
C:\ACS\server\data\gdbmdist.002 Object is locked skipped
C:\ACS\server\data\gdbnodes.dat Object is locked skipped
C:\ACS\server\data\gdbsvset.dat Object is locked skipped
C:\ACS\server\data\gdbtlogb.dat Object is locked skipped
C:\ACS\server\data\hostmgr.log Object is locked skipped
C:\ACS\server\data\IFTRP Object is locked skipped
C:\ACS\server\data\logmgr.log Object is locked skipped
C:\ACS\server\data\OCF Object is locked skipped
C:\ACS\server\data\offmgr.log Object is locked skipped
C:\ACS\server\data\OPAUTH Object is locked skipped
C:\ACS\server\data\PLU Object is locked skipped
C:\ACS\server\data\PRTARE Object is locked skipped
C:\ACS\server\data\sreqpipe.log Object is locked skipped
C:\ACS\server\data\srsppipe.log Object is locked skipped
C:\ACS\server\data\TCF Object is locked skipped
C:\ACS\server\data\TLOG_C.004 Object is locked skipped
C:\ACS\server\data\TLOG_X.004 Object is locked skipped
C:\ACS\server\data\TRXIDX Object is locked skipped
C:\ACS\server\data\UMWOP Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\73cujeem.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\CitrixLogs\gotomeeting\190\G2MOutlookAddin_util.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\CitrixLogs\gotomeeting\190\log5A6.tmp\G2MStart.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\CitrixLogs\gotomeeting\190\log5A6.tmp\GoToMeeting.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\G2MCodec.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\JETE37F.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4E8F.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF578F.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFEB0D.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\BOC424\evidence.boc Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6399d68f68fb1cbcae0a72a7f1c46a1f_811cd955-81ff-479f-ba74-2a8d34db01cb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/retadpu.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip ZIP: suspicious - 1 skipped
C:\Inetpub\nntpfile\article.hsh Object is locked skipped
C:\Inetpub\nntpfile\group.lst Object is locked skipped
C:\Inetpub\nntpfile\groupvar.lst Object is locked skipped
C:\Inetpub\nntpfile\history.hsh Object is locked skipped
C:\Inetpub\nntpfile\root\control\group.vpp Object is locked skipped
C:\Inetpub\nntpfile\root\group.vpp Object is locked skipped
C:\Inetpub\nntpfile\root\_slavegroup\group.vpp Object is locked skipped
C:\Inetpub\nntpfile\xover.hsh Object is locked skipped
C:\Program Files\Beach Islands Screensaver\BeachIslands.exe Infected: not-a-virus:AdWare.Win32.GAINNetwork.b skipped
C:\Program Files\Beach Islands Screensaver\BI1Helper.exe Infected: not-a-virus:AdWare.Win32.Gator.1008 skipped
C:\Program Files\Beach Islands Screensaver\BI1Uninstaller.exe Infected: not-a-virus:AdWare.Win32.Gator.l skipped
C:\Program Files\Common Files\rmku\rmkul.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Program Files\Common Files\rmku\rmkup.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Program Files\Lynk\Integra\data\batcldts.dat Object is locked skipped
C:\Program Files\Lynk\Integra\data\batcldts.n1 Object is locked skipped
C:\Program Files\Lynk\Integra\data\batcldts.nd Object is locked skipped
C:\Program Files\Lynk\Integra\data\errLog.dat Object is locked skipped
C:\Program Files\Lynk\Integra\data\errLog.n1 Object is locked skipped
C:\Program Files\Lynk\Integra\data\errLog.nd Object is locked skipped
C:\Program Files\Lynk\Integra\data\msgLog.dat Object is locked skipped
C:\Program Files\Lynk\Integra\data\msgLog.n1 Object is locked skipped
C:\Program Files\Lynk\Integra\data\msgLog.n2 Object is locked skipped
C:\Program Files\Lynk\Integra\data\msgLog.n3 Object is locked skipped
C:\Program Files\Lynk\Integra\data\msgLog.n4 Object is locked skipped
C:\Program Files\Lynk\Integra\data\msgLog.n5 Object is locked skipped
C:\Program Files\Lynk\Integra\data\msgLog.n6 Object is locked skipped
C:\Program Files\Lynk\Integra\data\msgLog.nd Object is locked skipped
C:\Program Files\Lynk\Integra\data\strfwdtr.dat Object is locked skipped
C:\Program Files\Lynk\Integra\data\strfwdtr.n1 Object is locked skipped
C:\Program Files\Lynk\Integra\data\strfwdtr.n2 Object is locked skipped
C:\Program Files\Lynk\Integra\data\strfwdtr.n3 Object is locked skipped
C:\Program Files\Lynk\Integra\data\strfwdtr.n4 Object is locked skipped
C:\Program Files\Lynk\Integra\data\strfwdtr.n5 Object is locked skipped
C:\Program Files\Lynk\Integra\data\strfwdtr.nd Object is locked skipped
C:\Program Files\Lynk\Integra\seq.dat Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACS\LOG\SQLAGENT.OUT Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Accessories\zykifuzit.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\WindowsUpdate\vixylex.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.b skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINNT\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\WINNT\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b136.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINNT\b138.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b138.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b138.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINNT\DOWNLO~1\USDR6_0001_D19M2108NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.q skipped
C:\QooBox\Quarantine\C\WINNT\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINNT\system32\awgfoapu.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINNT\system32\begevkbk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\cbxvuts.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\ddaya.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\QooBox\Quarantine\C\WINNT\system32\drivers\core.sys.vir Infected: Rootkit.Win32.Agent.eq skipped
C:\QooBox\Quarantine\C\WINNT\system32\ecptiyec.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\QooBox\Quarantine\C\WINNT\system32\gebyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\QooBox\Quarantine\C\WINNT\system32\hathofay.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kb skipped
C:\QooBox\Quarantine\C\WINNT\system32\hggdcbx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\ikwxcsax.dll.vir Infected: Packed.Win32.Klone.j skipped
C:\QooBox\Quarantine\C\WINNT\system32\j1201136.dll.vir Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\QooBox\Quarantine\C\WINNT\system32\naoqqxay.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\QooBox\Quarantine\C\WINNT\system32\o02PrEz\o02PrEz1065.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINNT\system32\pvletobm.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\QooBox\Quarantine\C\WINNT\system32\qafnvduu.exe.vir Infected: Trojan.Win32.Agent.anr skipped
C:\QooBox\Quarantine\C\WINNT\system32\skocpnqj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINNT\system32\tmqmqjhj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINNT\system32\tuvstrq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\ujrsanru.dll.vir Infected: Trojan.Win32.BHO.bd skipped
C:\QooBox\Quarantine\C\WINNT\system32\urqnkji.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\vggfihyo.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINNT\system32\wptpdelv.dll.vir Infected: Trojan.Win32.BHO.g skipped
C:\WINNT\$_hpcst$.hpc Object is locked skipped
C:\WINNT\b103.exe/stream/data0002 Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\WINNT\b103.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINNT\b103.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINNT\b103.exe NSIS: infected - 3 skipped
C:\WINNT\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINNT\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
tkhang81
2007-07-11, 01:05
C:\WINNT\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINNT\b104.exe NSIS: infected - 3 skipped
C:\WINNT\b128.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\WINNT\b128.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\WINNT\b128.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINNT\b128.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINNT\b128.exe NSIS: infected - 4 skipped
C:\WINNT\b129.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINNT\b129.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINNT\b129.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINNT\b129.exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINNT\b129.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINNT\b129.exe NSIS: infected - 5 skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\NtFrs_0005.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\NETLOGON.CHG Object is locked skipped
C:\WINNT\NTDS\edb.log Object is locked skipped
C:\WINNT\NTDS\ntds.dit Object is locked skipped
C:\WINNT\NTDS\temp.edb Object is locked skipped
C:\WINNT\ntfrs\jet\log\edb.log Object is locked skipped
C:\WINNT\ntfrs\jet\ntfrs.jdb Object is locked skipped
C:\WINNT\ntfrs\jet\temp\tmp.edb Object is locked skipped
C:\WINNT\retadpu1000106.exe.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\WINNT\retadpu2000219.exe.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\Beach Islands Screensaver.scr Infected: not-a-virus:AdWare.Win32.GAINNetwork.c skipped
C:\WINNT\system32\betkhdep.exe Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\DnsEvent.Evt Object is locked skipped
C:\WINNT\system32\config\NTDS.Evt Object is locked skipped
C:\WINNT\system32\config\NtFrs.Evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\dhcp\dhcp.mdb Object is locked skipped
C:\WINNT\system32\dhcp\DhcpSrvLog.Tue Object is locked skipped
C:\WINNT\system32\dhcp\j50.log Object is locked skipped
C:\WINNT\system32\dhcp\tmp.edb Object is locked skipped
C:\WINNT\system32\dns\dns.log Object is locked skipped
C:\WINNT\system32\DTCLog\MSDTC.LOG Object is locked skipped
C:\WINNT\system32\LogFiles\W3SVC1\ex070710.log Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_448.dat Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_cbc.dat Object is locked skipped
C:\WINNT\system32\T1QaSQ\T1QaSQ1065.exe Infected: Trojan-Downloader.Win32.VB.fn skipped
C:\WINNT\system32\T2\dlb66.exe/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped
C:\WINNT\system32\T2\dlb66.exe/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\WINNT\system32\T2\dlb66.exe/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\WINNT\system32\T2\dlb66.exe ZIP: infected - 3 skipped
C:\WINNT\system32\T2\dlb66.exe WiseSFX Dropper: infected - 3 skipped
C:\WINNT\system32\T3\dlltk67.exe Infected: Trojan.Win32.BHO.ab skipped
C:\WINNT\system32\T4\d5ll.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\WINNT\system32\T6\dlwr.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\WINNT\Temp\hsperfdata_SYSTEM\1300 Object is locked skipped
C:\WINNT\U2llcnJhIE5ldmFkYSBDYXNoIFJlZ2lzdGVy_VIRUS_delete\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINNT\U2llcnJhIE5ldmFkYSBDYXNoIFJlZ2lzdGVy_VIRUS_delete\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
Scan process completed.
tkhang81
2007-07-11, 01:06
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:00, on 2007-07-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\ACS\Back office\Platform\BatchService.exe
C:\ACS\Server\Bin\NCRReceiveUpdatesSvc.exe
c:\ACS\Back office\Platform\SILService.exe
C:\ACS\Server\Bin\tm.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ACS\Binn\sqlservr.exe
C:\ACS\Loader\Programs\acsapsrv.exe
C:\ACS\Back Office\Platform\ASWRegistrationService.exe
C:\ACS\Server\Bin\cswitch.exe
C:\Program Files\NCR\FitClient\NCRTFTPs.exe
C:\ACS\Server\Bin\tms32.exe
C:\Program Files\NCR\FitClient\FitClientLoader.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\ACS\Server\Bin\svcupdate.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\RunDll32.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\TEMP\cks1.tmp
C:\WINNT\System32\ismserv.exe
C:\WINNT\system32\msdtc.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ACS\Binn\sqlagent.EXE
C:\ACS\Server\Bin\aup.exe
C:\ACS\Server\Bin\closemgr.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Server\Bin\DeptReptExt.exe
C:\ACS\Server\Bin\posoffl.exe
c:\acs\Loader\Programs\acsapsrv.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Back office\Platform\TLogAccumulator.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\server\bin\cmhostctf.exe
C:\ACS\Server\Bin\cmol.exe
c:\acs\Loader\Programs\acsapsrv.exe
C:\ACS\Loader\Programs\acsapsrv.exe
C:\ACS\Server\Bin\drpurge.exe
C:\ACS\Server\Bin\perl.exe
C:\ACS\Server\Bin\acsproc.exe
C:\ACS\Server\Bin\MRMServer.exe
C:\ACS\Server\Bin\mrmSqlServer.exe
C:\ACS\Server\Bin\PLUExceptionExtractHost.exe
C:\ACS\Server\Bin\resmgr.exe
C:\ACS\Server\Bin\logmgr.exe
C:\ACS\Server\Bin\accmgr.exe
C:\ACS\Server\Bin\iftrpmgr.exe
C:\ACS\Server\Bin\cmhost.exe
C:\ACS\Server\Bin\corrmgr.exe
C:\ACS\Server\Bin\offmgr.exe
C:\ACS\Server\Bin\hostmgr.exe
C:\ACS\Server\Bin\clubctf.exe
C:\ACS\Server\Bin\casmgr.exe
C:\ACS\Server\Bin\sopup.exe
C:\ACS\Server\Bin\cmctf.exe
C:\ACS\Server\Bin\timemgr.exe
C:\ACS\Server\Bin\sreqpipe.exe
C:\ACS\Server\Bin\srsppipe.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Citrix\GoToMeeting\190\g2mstart.exe
C:\Program Files\Lynk\Integra\LynkIntegraClient.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Citrix\GoToMeeting\190\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\190\g2mlauncher.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Lynk\Integra\LynkIntegraServer.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\ACS\Back office\Platform\ASWShell.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\ACS\Back Office\Platform\AppSplash.exe
C:\ACS\Back Office\Platform\PLUMaintenance.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lynk Integra Server.LNK = C:\Program Files\Lynk\Integra\LynkIntegraServer.exe
O4 - Global Startup: LynkIntegraClient.LNK = C:\Program Files\Lynk\Integra\LynkIntegraClient.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8771438C-67D3-4436-A649-0E405C31E072}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9104A1FA-F3D6-4354-90B3-A3A4C9014955}: NameServer = 127.0.0.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: ACS Batch Service - - c:\ACS\Back office\Platform\BatchService.exe
O23 - Service: ACS Receive Updates - NCR - C:\ACS\Server\Bin\NCRReceiveUpdatesSvc.exe
O23 - Service: ACS SIL Service - - c:\ACS\Back office\Platform\SILService.exe
O23 - Service: ACS Task Manager - NCR - C:\ACS\Server\Bin\tm.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Application Load Server (NCR Application Load Server) - NCR - C:\ACS\Loader\Programs\acsapsrv.exe
O23 - Service: NCR TFTP Service - NCR - C:\Program Files\NCR\FitClient\NCRTFTPs.exe
O23 - Service: NCR FitClient Loader (NCRFitClientLoader) - NCR - C:\Program Files\NCR\FitClient\FitClientLoader.exe
O23 - Service: RSH Daemon (rshd) - Unknown owner - C:\scot\bin\rshd.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SvcUpdate - NCR - C:\ACS\Server\Bin\svcupdate.exe
--
End of file - 8539 bytes
random/random
2007-07-11, 18:37
Go to Start> Control Panel> Add or Remove Programs.
Remove the following program, if present.
Beach Islands Screensaver
Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:
http://www.adobe.com/products/acrobat/readstep2.html
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
Then close all windows except HijackThis and click Fix Checked
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
File::
C:\WINNT\b103.exe
C:\WINNT\b104.exe
C:\WINNT\b128.exe
C:\WINNT\b129.exe
C:\WINNT\retadpu1000106.exe.tmp
C:\WINNT\retadpu2000219.exe.tmp
C:\WINNT\system32\Beach Islands Screensaver.scr
C:\WINNT\system32\betkhdep.exe
Folder::
C:\Program Files\Beach Islands Screensaver
C:\Program Files\Common Files\rmku
C:\WINNT\system32\T1QaSQ
C:\WINNT\system32\T2
C:\WINNT\system32\T3
C:\WINNT\system32\T4
C:\WINNT\system32\T6
C:\WINNT\U2llcnJhIE5ldmFkYSBDYXNoIFJlZ2lzdGVy_VIRUS_delete
C:\WINNT\U2llcnJhIE5ldmFkYSBDYXNoIFJlZ2lzdGVy_VIRUS_delete
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as ComboFix-Do.txt
Now drag and drop ComboFix-Do.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Due to lack of a response to helper this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.