View Full Version : Virtumonde is killing me
Guys could anybody help me with this...
I have a problem with this PC at my work and I am full of lammers coming and telling me that they can format it for a fee!!! I know how to format it but just cant because of the whole bunch of programs and server whose installation I do not have!!!
I tried with spybot and vundofix and nothing works...
I made HijackThis log so you could have insight...
Tnx a lot for any help provided...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:25:49, on 16/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\sysems.exe
C:\WINDOWS\system32\sscc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\WINDOWS\ASUSKBService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system\ehSched.exe
C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
C:\WINDOWS\system32\dllcache\ivchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\urdvxc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscvs.exe
C:\WINDOWS\system32\wspvs.exe
C:\Documents and Settings\nm\Desktop\HijackThis.exe
C:\WINDOWS\System32\HPBPRO.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CallControl 4.5] C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020307 serial=DR12CUS-2178927-HVQ lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKLM\..\Run: [sixer566] C:\WINDOWS\system32\sscc.exe
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [amsgupdate] C:\WINDOWS\system32\ams.exe
O4 - HKLM\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" *
O4 - HKLM\..\Run: [Windows Server Client Verification Service] "C:\WINDOWS\system32\wscvs.exe" *
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] msvccl.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [Muud] "C:\WINDOWS\System32\CURITY~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Hscmzv] C:\Program Files\S?mantec\?ervices.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKCU\..\Run: [sixer566] C:\WINDOWS\system32\sscc.exe
O4 - HKCU\..\Run: [amsgupdate] C:\WINDOWS\system32\ams.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{86C17F17-51A5-4816-8CF8-2783079DA9E9}: NameServer = 195.222.32.10,195.222.32.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Media Center Scheduler Service (ehSched) - Unknown owner - C:\WINDOWS\system\ehSched.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Server Client Verification Service (wscvs) - Unknown owner - C:\WINDOWS\system32\wscvs.exe
O23 - Service: Windows Server Peer Verification Service (wspvs) - Unknown owner - C:\WINDOWS\system32\wspvs.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\System32\ad.html
--
End of file - 8220 bytes
Hi chaba
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post
Shaba thank you for repleying to my post so soon...
I am aware of the threat and planning to format my disk as soon as possible but I do not have time nor ressources at time being so any help for partial solution of my problem would suit (it has to work just for one or two months) so I am taking any risk if you are willing to help
Regards....
Hi
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Hi,
I am sending new Hijack and SDFix logs:
SDFix: Version 1.98
Run by nm on 17/08/2007 at 16:55
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
DomainService
mshexdefx
MSWindows
runtime
wspvs
ImagePath:
C:\WINDOWS\System32\othfgcqv.exe /service
"C:\WINDOWS\system32\dllcache\ivchost.exe"
"C:\WINDOWS\System32\urdvxc.exe" /service
\??\C:\WINDOWS\System32\drivers\runtime.sys
C:\WINDOWS\system32\wspvs.exe
DomainService - Deleted
mshexdefx - Deleted
MSWindows - Deleted
runtime - Deleted
wspvs - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Service runtime2 - Deleted after Reboot
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\SYSTEM32\DLOAD.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSV.EXE - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\ams.exe - Deleted
C:\WINDOWS\system32\crypts.dll - Deleted
C:\WINDOWS\system32\dllcache\ivchost.exe - Deleted
C:\WINDOWS\system32\helperam1.exe - Deleted
C:\WINDOWS\system32\helpersscc.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\sscc.exe - Deleted
C:\WINDOWS\system32\TFTP756 - Deleted
C:\WINDOWS\system32\urdvxc.exe - Deleted
C:\WINDOWS\system32\wspvs.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\wspvs.exe"="C:\\WINDOWS\\system32\\wspvs.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\System32\\Ati2evxx.exe"="C:\\WINDOWS\\System32\\Ati2evxx.exeC:\\WINDOWS\\System32\\Ati2evxx.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\mmdmm.exe"="C:\\WINDOWS\\System32\\mmdmm.exeC:\\WINDOWS\\System32\\mmdmm.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\System32\\svcchosst.exe"="C:\\WINDOWS\\System32\\svcchosst.exeC:\\WINDOWS\\System32\\svcchosst.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system32\\sscc.exe"="C:\\WINDOWS\\system32\\sscc.exeC:\\WINDOWS\\system32\\sscc.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exeC:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system\\ehSched.exe"="C:\\WINDOWS\\system\\ehSched.exe:*:Enabled:Windows Configuration"
"\\??\\C:\\WINDOWS\\system32\\csrss.exe"="\\??\\C:\\WINDOWS\\system32\\csrss.exeC:\\WINDOWS\\system32\\csrss.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Common Files\\Teleca Shared\\Generic.exe"="C:\\Program Files\\Common Files\\Teleca Shared\\Generic.exeC:\\Program Files\\Common Files\\Teleca Shared\\Generic.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exeC:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\Mixer.exe"="C:\\WINDOWS\\Mixer.exeC:\\WINDOWS\\Mixer.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BTNtService.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BTNtService.exeC:\\Program Files\\IVT Corporation\\BlueSoleil\\BTNtService.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\ASUSKBService.exe"="C:\\WINDOWS\\ASUSKBService.exeC:\\WINDOWS\\ASUSKBService.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\urdvxc.exe"="C:\\WINDOWS\\System32\\urdvxc.exeC:\\WINDOWS\\System32\\urdvxc.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe"="C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exeC:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exeC:\\WINDOWS\\system32\\services.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe"="C:\\Program Files\\LogMeIn\\LogMeInSystray.exeC:\\Program Files\\LogMeIn\\LogMeInSystray.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exeC:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Alcohol Soft\\Alcohol 120\\StarWind\\StarWindService.exe"="C:\\Program Files\\Alcohol Soft\\Alcohol 120\\StarWind\\StarWindService.exeC:\\Program Files\\Alcohol Soft\\Alcohol 120\\StarWind\\StarWindService.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\wscvs.exe"="C:\\WINDOWS\\system32\\wscvs.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exeC:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exeC:\\WINDOWS\\system32\\lsass.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe"="C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exeC:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\System32\\svchost.exeC:\\WINDOWS\\System32\\svchost.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\QuickTime\\QTTask.exe"="C:\\Program Files\\QuickTime\\QTTask.exeC:\\Program Files\\QuickTime\\QTTask.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"="C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exeC:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\HPBPRO.EXE"="C:\\WINDOWS\\System32\\HPBPRO.EXEC:\\WINDOWS\\System32\\HPBPRO.EXE:*:Enabled:Windows Server Peer Verification Service"
"C:\\Program Files\\FileMaker\\FileMaker Server 5.5\\Fmserver.exe"="C:\\Program Files\\FileMaker\\FileMaker Server 5.5\\Fmserver.exeC:\\Program Files\\FileMaker\\FileMaker Server 5.5\\Fmserver.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\fuiarsnh.exe"="C:\\WINDOWS\\System32\\fuiarsnh.exeC:\\WINDOWS\\System32\\fuiarsnh.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\PROGRAM FILES\\FAXTALK COMMUNICATOR\\FAPIEXE.EXE"="C:\\PROGRAM FILES\\FAXTALK COMMUNICATOR\\FAPIEXE.EXEFAPIEXE.EXE:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system32\\sysems.exe"="C:\\WINDOWS\\system32\\sysems.exeC:\\WINDOWS\\system32\\sysems.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\System32\\ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exeC:\\WINDOWS\\System32\\ctfmon.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"="C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exeC:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\dllcache\\ivchost.exe"="C:\\WINDOWS\\system32\\dllcache\\ivchost.exeC:\\WINDOWS\\system32\\dllcache\\ivchost.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\savedump.exe"="C:\\WINDOWS\\system32\\savedump.exeC:\\WINDOWS\\system32\\savedump.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exeC:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exeC:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\wuauclt.exe"="C:\\WINDOWS\\System32\\wuauclt.exeC:\\WINDOWS\\System32\\wuauclt.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\lbwrwled.exe"="C:\\WINDOWS\\System32\\lbw"
"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"="C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exeC:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXEC:\\WINDOWS\\Explorer.EXE:*:Enabled:Windows Server Client Verification Service"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exewinlogon.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\othfgcqv.exe"="C:\\WINDOWS\\System32\\oth"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
C:\Documents and Settings\nm\Local Settings\Application Data\Microsoft\Messenger\emir_chaba@hotmail.com\Sharing Folders\aidaomerika@hotmail.com\Thumbs.db
C:\Documents and Settings\nm\Local Settings\Application Data\Microsoft\Messenger\emir_chaba@hotmail.com\Sharing Folders\jasminahadzic-gluhic@hotmail.com\Thumbs.db
C:\Documents and Settings\nm\Local Settings\Application Data\Microsoft\Messenger\emir_chaba@hotmail.com\SharingMetadata\mirna.strinic@hotmail.com\DFSR\ConflictDelete\mirna-{0F81E795-DE58-4DF0-935F-07C5B6F1C86A}-v23\Thumbs.db
C:\WINDOWS\system\ehSched.exe
C:\WINDOWS\system32\helpersysems.exe
C:\WINDOWS\system32\sysems.exe
C:\WINDOWS\system32\wscvs.exe
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\LastGood.Tmp\INF\dxbda.inf
C:\WINDOWS\LastGood.Tmp\INF\dxbda.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.inf
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxxp.inf
C:\WINDOWS\LastGood.Tmp\INF\dxxp.PNF
C:\WINDOWS\LastGood.Tmp\INF\hdaudbus.inf
C:\WINDOWS\LastGood.Tmp\INF\hdaudbus.PNF
C:\WINDOWS\LastGood.Tmp\INF\hdaudio.inf
C:\WINDOWS\LastGood.Tmp\INF\hdaudio.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem0.inf
C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem2.inf
C:\WINDOWS\LastGood.Tmp\INF\oem2.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem3.inf
C:\WINDOWS\LastGood.Tmp\INF\oem3.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\WINDOWS\Temp\wsc1.tmp
C:\WINDOWS\Temp\wsc2.tmp
C:\WINDOWS\Temp\wsc3.tmp
C:\WINDOWS\Temp\wsc4.tmp
C:\WINDOWS\Temp\wsc5.tmp
C:\WINDOWS\Temp\wsc6.tmp
Finished
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03:24, on 17/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ASUSKBService.exe
C:\WINDOWS\system\ehSched.exe
C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscvs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\sysems.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\Documents and Settings\nm\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CallControl 4.5] C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020307 serial=DR12CUS-2178927-HVQ lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Windows Server Client Verification Service] "C:\WINDOWS\system32\wscvs.exe" *
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [Muud] "C:\WINDOWS\System32\CURITY~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Hscmzv] C:\Program Files\S?mantec\?ervices.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{86C17F17-51A5-4816-8CF8-2783079DA9E9}: NameServer = 195.222.32.10,195.222.32.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Media Center Scheduler Service (ehSched) - Unknown owner - C:\WINDOWS\system\ehSched.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Server Client Verification Service (wscvs) - Unknown owner - C:\WINDOWS\system32\wscvs.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\System32\ad.html
--
End of file - 7288 bytes
TNX
Hi
Next step is to install antivirus and firewall.
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/)
2) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
3) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
4) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
After that:
Create own folder for HijackThis to desktop and move it to that folder
Rename HijackThis.exe to scanner.exe
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
Hi,
I installed recomanded programs (ZoneA and AVG) and found nearly 700 threst...
Posting new Hijack and Combofix log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:28:29, on 17/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\ASUSKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system\ehSched.exe
C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\nm\Desktop\HijackThis\scanner.exe
C:\WINDOWS\System32\HPBPRO.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02A3397F-413B-4DA7-803A-18D957BE20BC} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E5393B7-D4DB-4CD3-8449-9E66E379DDE6} - C:\WINDOWS\System32\fdfienao.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CallControl 4.5] C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020307 serial=DR12CUS-2178927-HVQ lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Windows Server Client Verification Service] "C:\WINDOWS\system32\wscvs.exe" *
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [Muud] "C:\WINDOWS\System32\CURITY~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Hscmzv] C:\Program Files\S?mantec\?ervices.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{86C17F17-51A5-4816-8CF8-2783079DA9E9}: NameServer = 195.222.32.10,195.222.32.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Media Center Scheduler Service (ehSched) - Unknown owner - C:\WINDOWS\system\ehSched.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Server Client Verification Service (wscvs) - Unknown owner - C:\WINDOWS\system32\wscvs.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\WINDOWS\System32\ad.html
--
End of file - 8343 bytes
ComboFix 07-08-14.4 - "nm" 2007-08-17 19:22:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.308 [GMT 2:00]
((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))
2007-08-17 17:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-17 17:22 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-17 17:22 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-17 17:22 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-17 17:22 34,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-17 17:22 2,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-17 17:22 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-08-17 17:22 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-17 17:22 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-17 16:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-16 12:07 <DIR> d-------- C:\VundoFix Backups
2007-08-09 09:02 31,232 -r-hs---- C:\WINDOWS\system\ehSched.exe
2007-08-07 20:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sony Ericsson
2007-08-07 20:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\FileMaker
2007-08-07 10:17 13,825 --a------ C:\WINDOWS\system32\msninfo.dll
2007-08-04 07:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-04 07:32 142,220 --a------ C:\DOCUME~1\nm\grg.exe
2007-07-24 15:47 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-07-24 15:46 <DIR> d-------- C:\lj1010seriesprintsys
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-17 17:43 --------- d-------- C:\DOCUME~1\nm\APPLIC~1\Skype
2007-08-17 17:25 1484 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-17 17:25 1316 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-16 20:19 --------- d-------- C:\Program Files\Common Files\Teleca Shared
2007-08-16 20:11 --------- d-------- C:\Program Files\QuickTime
2007-08-16 20:09 --------- d-------- C:\Program Files\Joost
2007-08-16 20:07 --------- d-------- C:\DOCUME~1\nm\APPLIC~1\Lavasoft
2007-08-09 09:03 --------- d-------- C:\Program Files\MSN Messenger
2007-07-26 07:47 --------- d-------- C:\Program Files\Winamp
2007-06-23 17:43 --------- d-------- C:\Program Files\MultiCalendarV3
2007-06-23 17:43 --------- d-------- C:\Program Files\Agenda At Once
2007-06-23 11:28 --------- d-------- C:\DOCUME~1\nm\APPLIC~1\Teleca
2007-06-23 11:20 --------- d-------- C:\DOCUME~1\nm\APPLIC~1\Sony Ericsson
2007-03-21 14:45:13 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02A3397F-413B-4DA7-803A-18D957BE20BC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E5393B7-D4DB-4CD3-8449-9E66E379DDE6}]
C:\WINDOWS\System32\fdfienao.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 C:\WINDOWS\system32\HdAShCut.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"C-Media Mixer"="Mixer.exe" [2003-03-20 08:21 C:\WINDOWS\mixer.exe]
"CallControl 4.5"="C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe" [2001-10-02 03:39]
"CorelDRAW Graphics Suite 11b"="E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30]
"sysmss"="C:\WINDOWS\system32\sysems.exe" []
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"Windows Server Client Verification Service"="C:\WINDOWS\system32\wscvs.exe" []
"LogMeIn GUI"="C:\Program Files\LogMeIn\LogMeInSystray.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" []
"msvccc66"="svcchosst.exe" []
"mmsass"="mmdmm.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 18:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:41]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" []
"Muud"="C:\WINDOWS\System32\CURITY~1\services.exe" []
"Hscmzv"="C:\Program Files\S?mantec\?ervices.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-28 14:52]
"sysmss"="C:\WINDOWS\system32\sysems.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"msvccc66"=svcchosst.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Windows Server Peer Verification Service"="C:\WINDOWS\system32\wspvs.exe" *
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"Windows Server Client Verification Service"="C:\WINDOWS\system32\wscvs.exe" *
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\System32\ad.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=
R0 a347bus;a347bus;C:\WINDOWS\System32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\System32\Drivers\a347scsi.sys
R2 FileMaker Server;FileMaker Server;"C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe"
S2 wscvs;Windows Server Client Verification Service;C:\WINDOWS\system32\wscvs.exe
S3 AEAudioService;AEAudio Service;C:\WINDOWS\System32\drivers\AEAudio.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\fetnd5.sys
S3 LMImirr;LMImirr;C:\WINDOWS\System32\DRIVERS\LMImirr.sys
S3 SenFiltService;SenFilt Service;C:\WINDOWS\System32\drivers\Senfilt.sys
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 19:25:18
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-17 19:25:57
C:\ComboFix-quarantined-files.txt ... 2007-08-17 19:25
--- E O F ---
Hi
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Please click this link-->Jotti (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\Documents and Settings\nm\grg.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Sorry for not answering before...
Anyway posting requested...
Antivirus Version Last Update Result
AhnLab-V3 2007.8.18.0 2007.08.20 -
AntiVir 7.4.1.62 2007.08.20 TR/Crypt.PCMM.Gen
Authentium 4.93.8 2007.08.17 -
Avast 4.7.1029.0 2007.08.20 Win32:Crypt-SU
AVG 7.5.0.484 2007.08.19 -
BitDefender 7.2 2007.08.20 Trojan.Agent.ABJH
CAT-QuickHeal 9.00 2007.08.20 (Suspicious) - DNAScan
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.20 BackDoor.Mailbot
eSafe 7.0.15.0 2007.08.16 Win32.Spybot
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.19 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.20 -
F-Prot 4.3.2.48 2007.08.17 -
F-Secure 6.70.13030.0 2007.08.20 -
Ikarus T3.1.1.12 2007.08.20 Trojan.Agent.ABJH
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5100 2007.08.17 -
Microsoft 1.2803 2007.08.20 -
NOD32v2 2470 2007.08.19 -
Norman 5.80.02 2007.08.20 -
Panda 9.0.0.4 2007.08.19 Generic Malware
Prevx1 V2 2007.08.20 Generic.Malware
Rising 19.36.60.00 2007.08.19 Packer.Mian007
Sophos 4.20.0 2007.08.12 Mal/Packer
Sunbelt 2.2.907.0 2007.08.18 VIPRE.Suspicious
Symantec 10 2007.08.20 W32.Spybot.Worm
TheHacker 6.1.8.170 2007.08.17 -
VBA32 3.12.2.2 2007.08.20 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Crypt.PCMM.Gen
Hi
Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)
Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop
C:\Documents and Settings\nm\grg.exe
Go to spykiller (http://www.thespykiller.co.uk/index.php?PHPSESSID=d65884362fbc872b70e1a9a9a7e13700&board=1.0)
Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.
Reply after that here and we'll continue :)
I obeyed my master :)
But I can continue tommorow if it is not a problem for you...
Tnx a lot for time and effort...
Hi
Thanks :)
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. Press 1 and enter. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
This is all that came up...
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 21/08/2007
The current time is: 8:46:49,79
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
Hi
Well that's a good sign :)
Open HijackThis, click do a system scan only and checkmark these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02A3397F-413B-4DA7-803A-18D957BE20BC} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E5393B7-D4DB-4CD3-8449-9E66E379DDE6} - C:\WINDOWS\System32\fdfienao.dll (file missing)
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKCU\..\Run: [Muud] "C:\WINDOWS\System32\CURITY~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Hscmzv] C:\Program Files\S?mantec\?ervices.exe
O4 - HKCU\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O20 - AppInit_DLLs:
O23 - Service: Windows Server Client Verification Service (wscvs) - Unknown owner - C:\WINDOWS\system32\wscvs.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\WINDOWS\System32\ad.html <--- unless you have set it by yourself
Close all windows including browser and press fix checked.
Reboot
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
As requested...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:14, on 21/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\ASUSKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system\ehSched.exe
C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\FileMaker\FileMaker Pro 6\FileMaker Pro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\nm\Desktop\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CallControl 4.5] C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020307 serial=DR12CUS-2178927-HVQ lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Windows Server Client Verification Service] "C:\WINDOWS\system32\wscvs.exe" *
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86C17F17-51A5-4816-8CF8-2783079DA9E9}: NameServer = 195.222.32.10,195.222.32.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Media Center Scheduler Service (ehSched) - Unknown owner - C:\WINDOWS\system\ehSched.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Server Client Verification Service (wscvs) - Unknown owner - C:\WINDOWS\system32\wscvs.exe (file missing)
--
End of file - 7922 bytes
I can not post whole Kaspersky report because it is to long...
Hi
You can edit out all lines with object locked skipped; size should reduce significantly :)
Done it but it is still to big...
It cant be put in even three posts...
Anyway I could rar it and attach it somewhere?
Here I put it on RapidShare... Hope it is OK
http://rapidshare.com/files/50317087/kaspersky.html
Hi
Upload this file to virustotal like before and post back results, please :)
C:\WINDOWS\Web\tip.htm
Delete also this file:
C:\DOCUME~1\nm\grg.exe
Here are the resaults....
grg.exe deleted...
Antivirus Version Last Update Result
AhnLab-V3 2007.8.22.0 2007.08.21 -
AntiVir 7.4.1.62 2007.08.21 -
Authentium 4.93.8 2007.08.20 -
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 -
BitDefender 7.2 2007.08.21 -
CAT-QuickHeal 9.00 2007.08.21 -
ClamAV 0.91 2007.08.21 -
DrWeb 4.33 2007.08.21 -
eSafe 7.0.15.0 2007.08.20 -
eTrust-Vet 31.1.5076 2007.08.21 HTML/Mallar
Ewido 4.0 2007.08.21 -
FileAdvisor 1 2007.08.21 -
Fortinet 2.91.0.0 2007.08.21 -
F-Prot 4.3.2.48 2007.08.20 -
F-Secure 6.70.13030.0 2007.08.21 Net-Worm.Win32.Allaple.a
Ikarus T3.1.1.12 2007.08.21 -
Kaspersky 4.0.2.24 2007.08.21 Net-Worm.Win32.Allaple.a
McAfee 5101 2007.08.20 W32/RAHack!htm
Microsoft 1.2803 2007.08.21 Virus:HTML/Allaple.A
NOD32v2 2473 2007.08.21 Win32/Allaple.Gen
Norman 5.80.02 2007.08.21 -
Panda 9.0.0.4 2007.08.21 HTML/Instancob.A
Rising 19.37.12.00 2007.08.21 -
Sophos 4.20.0 2007.08.21 -
Sunbelt 2.2.907.0 2007.08.21 -
Symantec 10 2007.08.21 -
TheHacker 6.1.8.171 2007.08.21 W32/NetApple
VBA32 3.12.2.2 2007.08.21 -
VirusBuster 4.3.26:9 2007.08.21 -
Webwasher-Gateway 6.0.1 2007.08.21 -
Hi
Ok, those all are bad.
You might need to uninstall & re-install some programs.
You also have windows cd (you may need repair installation as some windows own html files has been replaced)?
Huh...
I do have some Windows CDs but I installed wersion is SP1 profesional and I have SP2 profesional and SP1 Home edition...
Noobs from which my company bought PC didnt gave any CDs to them so I gues I am forced to find SP1 Profesional edition?
Hi
Well some windows help html files have been replaced.
If you don't need them, I just can give you a list of those which needs to be deleted.
How could I know if i need them?
And is it possible to copy these files from another, healthy, PC?
Hi
Yes, it is :)
Check kaspersky report and copy all infected html in this directory from clean pc to that one.
C:\WINDOWS\PCHealth\HelpCtr
Also these if found:
C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Citrus Punch.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Clear Day.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Fiesta.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Glacier.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Ivy.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Leaves.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Maize.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Nature.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Network Blitz.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Pie Charts.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Sunflower.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Sweets.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Common Files\Microsoft Shared\Stationery\Technical.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\WINDOWS\Web\tip.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\WINDOWS\Help\ciadmin.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\snd.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\contents.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\Microsoft Office\OFFICE11\1033\TOUR.HTM Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\MSN\MSNCoreFiles\msnread.htm Infected: Net-Worm.Win32.Allaple.a skipped
C:\Program Files\NetMeeting\netmeet.htm Infected: Net-Worm.Win32.Allaple.a skipped
Uninstall & re-install these programs:
FileMaker Pro 6
CyberLink PowerDVD
Adobe Photoshop CS
Empty these folders:
C:\Documents and Settings\nm\Application Data\Opera\Opera\profile\cache4\
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
C:\QooBox\Quarantine\
C:\VundoFix Backups\
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
Huh
Filemaker is main problem. I do not have installation of FileMaker client nor server, and both are runing on my PC, and are very important for my job. If I had these I would format my PC and make it all much easier...
For time being PC is working ok, bitt slopy but I can survive with this. As soon I get installation of these programs I am going to format it.
Tnx once again for all your help.
Hi
Well perform then other deletions and skip Filemaker.
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.