View Full Version : virtumonde infection
clamenza
2007-09-16, 01:36
At least that's what I first saw. Anyway, I ran Kaspersky Online and here's the log. I've also gone into WinXP safe mode and ran spybot till system's clean, and then rebooted into windows normally and ran hjt. log's below also. Sadly it's still around since I just denied a program via ZoneAlarm, and IE opened a page unprompted, although it was unreachable. Please help!
KASPERSKY ONLINE SCANNER REPORT
Saturday, September 15, 2007 5:23:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 15/09/2007
Kaspersky Anti-Virus database records: 419002
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
E:\
F:\
G:\
Scan Statistics
Total number of scanned objects 69151
Number of viruses found 12
Number of infected objects 25
Number of suspicious objects 0
Duration of the scan process 01:18:57
Infected Object Name Virus Name Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\cert8.db Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\formhistory.dat Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\history.dat Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\key3.db Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\parent.lock Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\search.sqlite Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text/[From Tsee Yuan Lee ][Date Sun, 09 Apr 2006 01:30:45 -0400]/text/[From Tsee Yuan Lee ][Date Wed, 24 May 2006 08:10:15 -0400]/UNNAMED/[From Tsee Yuan Lee ][Date Fri, 30 Jun 2006 14:36:18 -0400]/eicar_com.zip/eicar.com Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text/[From Tsee Yuan Lee ][Date Sun, 09 Apr 2006 01:30:45 -0400]/text/[From Tsee Yuan Lee ][Date Wed, 24 May 2006 08:10:15 -0400]/UNNAMED/[From Tsee Yuan Lee ][Date Fri, 30 Jun 2006 14:36:18 -0400]/eicar_com.zip Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text/[From Tsee Yuan Lee ][Date Sun, 09 Apr 2006 01:30:45 -0400]/text/[From Tsee Yuan Lee ][Date Wed, 24 May 2006 08:10:15 -0400]/UNNAMED Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text/[From Tsee Yuan Lee ][Date Sun, 09 Apr 2006 01:30:45 -0400]/text Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent Mail Berkeley mbox: infected - 5 skipped
C:\Documents and Settings\tyl2\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.qle\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.qle\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.qle\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.qle\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\History\History.IE5\MSHist012007091520070916\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Temp\gosB.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\tyl2\Local Settings\Temp\NERO13390\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\tyl2\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Temporary Internet Files\Content.IE5\7CGKG1WK\WinAntiSpyware2007FreeInstall[1].cab/UWAS7_0001_N99M3108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\tyl2\Local Settings\Temporary Internet Files\Content.IE5\7CGKG1WK\WinAntiSpyware2007FreeInstall[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\tyl2\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\tyl2\ntuser.dat.LOG Object is locked skipped
C:\Program Files\iWon\iWonSlot\bin\cpltSetp.exe Infected: not-a-virus:AdWare.Win32.IWon skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Program Files\Mozy\Config\conf.dat Object is locked skipped
C:\Program Files\Mozy\Data\mozy.log Object is locked skipped
C:\Program Files\RealVNC\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\RealVNC\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Storage\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Storage\mirc617.exe mIRC: infected - 1 skipped
C:\Storage\RealVNC411.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Storage\RealVNC411.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Storage\RealVNC411.exe Inno: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TSEEYUAN.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5FD589F3-049F-4946-953A-9E592C014FBB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd7501.sys Object is locked skipped
C:\WINDOWS\system32\drvsiw.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hcrujhgk.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\kljrgtoh.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\urqrstu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xpdx.sys Object is locked skipped
C:\WINDOWS\system32\xxyaaww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\Temp\Perflib_Perfdata_64c.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT062b2.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT079fa.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xcmigi.exe Infected: Trojan-Downloader.Win32.VB.bip skipped
Scan process completed.
clamenza
2007-09-16, 01:37
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:32 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\mainserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozy\mozybackup.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\DOCUME~1\tyl2\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\stsystra.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Creative Labs
Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://office.microsoft.com/en-us/officelive/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = :0
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"
/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32
\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CTSysVol] C:\Program
Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program
Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common
Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32
\rtwjmaof.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe
/RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe
/RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe
/RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe
/RUNONCE (User 'Default user')
O4 - Global Startup: APC UPS.lnk = ?
O4 - Global Startup: Explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: Firefox.lnk = C:\Program
Files\Mozilla\Firefox\firefox.exe
O4 - Global Startup: KeyText.lnk = C:\Program Files\Keytext\KeyText.exe
O4 - Global Startup: Mozy.lnk = C:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: NotePro.lnk = C:\Program Files\NotePro\NotePro.exe
O4 - Global Startup: RSI.lnk = ?
O4 - Global Startup: ZoneLabs.lnk = C:\Program
Files\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\JRE\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\Program Files\JRE\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-
4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
- http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine
Application Object) -
http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?
Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-
6D5536C585C9}
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client
/muweb_site.cab?1145849467296
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class)
- https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB -
C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation
- C:\Program Files\APC\mainserv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32
\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\AVGFree\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\AVGFree\avgupsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs -
C:\Program Files\Common Files\Creative Labs
Shared\Service\CreativeLicensing.exe
O23 - Service: Freenet 0.7 darknet-8888 (freenet-darknet-8888) -
Unknown owner - C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11
\Intel 32\IDriverT.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner -
C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common
Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7702 bytes
Hello and welcome to the Forums :)
You're infected.
Please disable WordWrap in Notepad as otherwise the log is very irritating to read. Notepad -> Edit -> Uncheck WordWrap
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
clamenza
2007-09-18, 02:20
ComboFix 07-09-14.2 - "tyl2" 2007-09-17 19:17:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.656 [GMT -4:00]
.
((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.
2007-09-17 19:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 12:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-15 11:52 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-15 11:03 15,360 --a------ C:\WINDOWS\system32\drvsiwr.dll
2007-09-10 23:04 <DIR> d-------- C:\Program Files\CPU-Z
2007-09-10 00:46 <DIR> d-------- C:\Program Files\RSIGuard
2007-09-10 00:46 <DIR> d-------- C:\Program Files\MAKEMSI Package Documentation
2007-09-10 00:44 <DIR> d-------- C:\temp
2007-09-05 18:50 21 --a------ C:\WINDOWS\clofghls.dll
2007-09-04 23:15 <DIR> d-------- C:\DOCUME~1\tyl2\APPLIC~1\Move Networks
2007-08-26 18:01 <DIR> d-------- C:\Program Files\Nero
2007-08-26 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-25 12:34 <DIR> d-------- C:\Program Files\NotePro
2007-08-20 09:52 <DIR> d-------- C:\Program Files\Second Sight Software
2007-08-17 23:00 <DIR> d-------- C:\Program Files\ZillaDataNuker
2007-08-17 22:31 69,632 --a------ C:\Program Files\Search Duplicate Files.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-17 19:16 --------- d-------- C:\DOCUME~1\tyl2\APPLIC~1\RSIGuard
2007-09-15 11:45 --------- d-------- C:\Program Files\Ad-Aware
2007-09-14 23:32 --------- d-------- C:\Program Files\FLVPlayer4Free
2007-09-14 20:47 --------- d-------- C:\DOCUME~1\tyl2\APPLIC~1\Azureus
2007-09-14 19:15 --------- d-------- C:\Program Files\Mozy
2007-09-07 00:42 --------- d-------- C:\Program Files\Azureus
2007-09-03 16:47 --------- d-------- C:\Program Files\IrfanView
2007-08-30 12:16 52728 --a------ C:\WINDOWS\system32\drivers\mozy.sys
2007-08-27 07:58 --------- d-------- C:\Program Files\AVGFree
2007-08-26 18:01 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-22 08:20 --------- d-------- C:\Program Files\mIRC
2007-08-21 22:48 11885 --a------ C:\Program Files\NotePro.ini
2007-08-12 16:03 --------- d-------- C:\Program Files\Microsoft.NET
2007-08-12 16:03 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-10 23:25 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-10 23:25 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-09 19:10 --------- d-------- C:\Program Files\Spybot
2007-08-07 21:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-08-07 13:49 --------- d-------- C:\Program Files\BFG
2007-08-06 22:12 --------- d-------- C:\Program Files\Oberon Media
2007-08-06 22:11 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-05 08:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Oberon Games
2007-07-31 09:10 --------- d-------- C:\Program Files\WinAce
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 23:42 --------- d-------- C:\Program Files\QuickTime
2007-07-19 23:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-19 23:41 --------- d-------- C:\Program Files\Apple Software Update
2007-07-19 23:41 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2006-07-07 01:42 319488 --a------ C:\Program Files\lame_enc.dll
2005-06-04 03:50 131072 --a------ C:\Program Files\AVIPreview.exe
2000-11-15 10:21 178688 --a------ C:\Program Files\hjsplit.exe
1999-09-12 11:28 395776 --a------ C:\Program Files\CHMAP.EXE
1998-04-10 18:09 291840 --a------ C:\Program Files\FVIEWER.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"MBMon"="CTMBHA.DLL" [2005-05-19 11:54 C:\WINDOWS\system32\CTMBHA.DLL]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 07:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 07:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 07:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 07:00]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"ZoneAlarm Client"="C:\Program Files\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 07:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
APC UPS.lnk - C:\Program Files\APC\Display.exe [2006-07-18 20:15:19]
Explorer.lnk - C:\WINDOWS\explorer.exe [2004-08-10 07:00:00]
Firefox.lnk - C:\Program Files\Mozilla\Firefox\firefox.exe [2006-04-22 17:16:27]
KeyText.lnk - C:\Program Files\Keytext\KeyText.exe [2006-04-22 17:52:38]
Mozy.lnk - C:\Program Files\Mozy\mozystat.exe [2007-05-09 22:30:11]
NotePro.lnk - C:\Program Files\NotePro\NotePro.exe [2003-05-22 04:09:50]
RSI.lnk - C:\Program Files\RSIGuard\RSIGuard.exe [2007-01-21 21:53:38]
ZoneLabs.lnk - C:\Program Files\ZoneAlarm\zlclient.exe [2006-04-22 19:33:45]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=0 (0x0)
"NoRecentDocsMenu"=01000000
"NoStrCmpLogical"=00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\mljjj
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\system32\bjmngvbg.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Reader\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"SetDefaultMIDI"=MIDIDef.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"SigmatelSysTrayApp"=stsystra.exe
"DeadAIM"=rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
R1 mozyFilter;mozyFilter;C:\WINDOWS\system32\DRIVERS\mozy.sys
R3 sigfilt;sigfilt;C:\WINDOWS\system32\drivers\sigfilt.sys
S3 AR5523;USB Dongle;C:\WINDOWS\system32\DRIVERS\ar5523.sys
S3 ATHFMWDL;Wireless predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 freenet-darknet-8888;Freenet 0.7 darknet-8888;"C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe" -s "C:\Program Files\Freenet\wrapper.conf"
S3 z520bus;Sony Ericsson 520 driver (WDM);C:\WINDOWS\system32\DRIVERS\z520bus.sys
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z520mdfl.sys
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\z520mdm.sys
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\z520mgmt.sys
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\z520obex.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deb85852-daa2-11da-a49a-001372c3d537}]
AutoRun\command- D:\.\JDSecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-03-06 13:48:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 19:20:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-17 19:21:05
C:\ComboFix-quarantined-files.txt ... 2007-09-17 19:20
.
--- E O F ---
Hi again, we'll continue :)
It seems that you've done some cleaning since the original HijackThis log.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Open "My Computer" and delete the following files (if present):
C:\WINDOWS\system32\drvsiwr.dll
C:\WINDOWS\clofghls.dll
C:\WINDOWS\system32\bjmngvbg.dll
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
clamenza
2007-09-19, 04:05
This is the first time I can boot the computer and not have to run combofix to make it usable again! Here are the Dr. Web and HJT logs.
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Moved.;
MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.617;Moved.;
winvnc4.exe;C:\Program Files\RealVNC;Program.RemoteAdmin;Moved.;
wm_hooks.dll;C:\Program Files\RealVNC;Program.RemoteAdmin;Moved.;
ggunilnd.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
rfhxifxv.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Moved.;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:24 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\mainserv.exe
C:\Program Files\Mozy\mozybackup.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\DOCUME~1\tyl2\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://office.microsoft.com/en-us/officelive/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\JRE\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: APC UPS.lnk = ?
O4 - Global Startup: Explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: Firefox.lnk = C:\Program Files\Mozilla\Firefox\firefox.exe
O4 - Global Startup: KeyText.lnk = C:\Program Files\Keytext\KeyText.exe
O4 - Global Startup: Mozy.lnk = C:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: NotePro.lnk = C:\Program Files\NotePro\NotePro.exe
O4 - Global Startup: RSI.lnk = ?
O4 - Global Startup: ZoneLabs.lnk = C:\Program Files\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JRE\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JRE\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145849467296
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\mainserv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFree\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFree\avgupsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Freenet 0.7 darknet-8888 (freenet-darknet-8888) - Unknown owner - C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7443 bytes
clamenza
2007-09-19, 04:06
Sorry, there's no part 2...
Hi :)
Ok it is looking quite good now.
So start up is fine - how is the computer running? Any other issues?
clamenza
2007-09-19, 19:37
no problems so far. I can't believe how fast my computer and internet are! :laugh: Thanks so much. Hopefully I won't have to bother you again!
You're very welcome, nice that we were able to help.
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
clamenza
2007-09-19, 21:16
I should've rebooted pc a few times first. Here's the ComboFix log (I have to run it to get back online). I'll post Kaspersky/HJT logs again asap, unless you want me to do something else.
ComboFix 07-09-14.2 - "tyl2" 2007-09-19 14:14:58.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.614 [GMT -4:00]
.
((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.
2007-09-18 19:43 <DIR> d-------- C:\DOCUME~1\tyl2\DoctorWeb
2007-09-18 13:30 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-18 13:28 <DIR> d-------- C:\DOCUME~1\tyl2\.housecall6.6
2007-09-17 19:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 12:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-15 11:52 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-10 23:04 <DIR> d-------- C:\Program Files\CPU-Z
2007-09-10 00:46 <DIR> d-------- C:\Program Files\RSIGuard
2007-09-10 00:46 <DIR> d-------- C:\Program Files\MAKEMSI Package Documentation
2007-09-10 00:44 <DIR> d-------- C:\temp
2007-09-04 23:15 <DIR> d-------- C:\DOCUME~1\tyl2\APPLIC~1\Move Networks
2007-08-26 18:01 <DIR> d-------- C:\Program Files\Nero
2007-08-26 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-25 12:34 <DIR> d-------- C:\Program Files\NotePro
2007-08-20 09:52 <DIR> d-------- C:\Program Files\Second Sight Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-19 14:12 --------- d-------- C:\DOCUME~1\tyl2\APPLIC~1\RSIGuard
2007-09-18 22:17 --------- d-------- C:\DOCUME~1\tyl2\APPLIC~1\Azureus
2007-09-18 20:57 --------- d-------- C:\Program Files\RealVNC
2007-09-18 19:35 --------- d-------- C:\Program Files\AVGFree
2007-09-15 11:45 --------- d-------- C:\Program Files\Ad-Aware
2007-09-14 23:32 --------- d-------- C:\Program Files\FLVPlayer4Free
2007-09-14 19:15 --------- d-------- C:\Program Files\Mozy
2007-09-07 00:42 --------- d-------- C:\Program Files\Azureus
2007-09-03 16:47 --------- d-------- C:\Program Files\IrfanView
2007-08-30 12:16 52728 --a------ C:\WINDOWS\system32\drivers\mozy.sys
2007-08-26 18:01 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-22 08:20 --------- d-------- C:\Program Files\mIRC
2007-08-21 22:48 11885 --a------ C:\Program Files\NotePro.ini
2007-08-17 23:00 --------- d-------- C:\Program Files\ZillaDataNuker
2007-08-12 16:03 --------- d-------- C:\Program Files\Microsoft.NET
2007-08-12 16:03 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-10 23:25 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-10 23:25 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-09 19:10 --------- d-------- C:\Program Files\Spybot
2007-08-07 21:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-08-07 13:49 --------- d-------- C:\Program Files\BFG
2007-08-06 22:12 --------- d-------- C:\Program Files\Oberon Media
2007-08-06 22:11 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-05 08:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Oberon Games
2007-07-31 09:10 --------- d-------- C:\Program Files\WinAce
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 23:42 --------- d-------- C:\Program Files\QuickTime
2007-07-19 23:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-19 23:41 --------- d-------- C:\Program Files\Apple Software Update
2007-07-19 23:41 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-04-04 09:38 69632 --a------ C:\Program Files\Search Duplicate Files.exe
2007-02-01 18:02 313344 --a------ C:\Program Files\hjsplit.exe
2006-07-07 01:42 319488 --a------ C:\Program Files\lame_enc.dll
2005-06-04 03:50 131072 --a------ C:\Program Files\AVIPreview.exe
1999-09-12 11:28 395776 --a------ C:\Program Files\CHMAP.EXE
1998-04-10 18:09 291840 --a------ C:\Program Files\FVIEWER.EXE
.
((((((((((((((((((((((((((((( snapshot_2007-09-18_ 84219.35 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 821,600 2007-09-18 13:13:05 C:\WINDOWS\system32\drivers\avg7core.sys
----atw 16,384 2007-09-19 18:13:52 C:\WINDOWS\temp\Perflib_Perfdata_620.dat
.
----a-w 821,536 2007-08-27 03:23:03 C:\WINDOWS\system32\drivers\avg7core.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"MBMon"="CTMBHA.DLL" [2005-05-19 11:54 C:\WINDOWS\system32\CTMBHA.DLL]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 07:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 07:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 07:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 07:00]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"ZoneAlarm Client"="C:\Program Files\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 06:20 C:\WINDOWS\stsystra.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
APC UPS.lnk - C:\Program Files\APC\Display.exe [2006-07-18 20:15:19]
Explorer.lnk - C:\WINDOWS\explorer.exe [2004-08-10 07:00:00]
Firefox.lnk - C:\Program Files\Mozilla\Firefox\firefox.exe [2006-04-22 17:16:27]
KeyText.lnk - C:\Program Files\Keytext\KeyText.exe [2006-04-22 17:52:38]
Mozy.lnk - C:\Program Files\Mozy\mozystat.exe [2007-05-09 22:30:11]
NotePro.lnk - C:\Program Files\NotePro\NotePro.exe [2003-05-22 04:09:50]
RSI.lnk - C:\Program Files\RSIGuard\RSIGuard.exe [2007-01-21 21:53:38]
ZoneLabs.lnk - C:\Program Files\ZoneAlarm\zlclient.exe [2006-04-22 19:33:45]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=0 (0x0)
"NoRecentDocsMenu"=01000000
"NoStrCmpLogical"=00000000
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Reader\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"SetDefaultMIDI"=MIDIDef.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"SigmatelSysTrayApp"=stsystra.exe
"DeadAIM"=rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
R1 mozyFilter;mozyFilter;C:\WINDOWS\system32\DRIVERS\mozy.sys
R3 sigfilt;sigfilt;C:\WINDOWS\system32\drivers\sigfilt.sys
S3 AR5523;USB Dongle;C:\WINDOWS\system32\DRIVERS\ar5523.sys
S3 ATHFMWDL;Wireless predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 freenet-darknet-8888;Freenet 0.7 darknet-8888;"C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe" -s "C:\Program Files\Freenet\wrapper.conf"
S3 z520bus;Sony Ericsson 520 driver (WDM);C:\WINDOWS\system32\DRIVERS\z520bus.sys
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z520mdfl.sys
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\z520mdm.sys
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\z520mgmt.sys
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\z520obex.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deb85852-daa2-11da-a49a-001372c3d537}]
AutoRun\command- D:\.\JDSecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-03-06 13:48:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 14:17:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-19 14:17:37
C:\ComboFix-quarantined-files.txt ... 2007-09-19 14:17
.
--- E O F ---
clamenza
2007-09-20, 02:44
KASPERSKY ONLINE SCANNER REPORT
Wednesday, September 19, 2007 7:49:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 19/09/2007
Kaspersky Anti-Virus database records: 420819
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
E:\
F:\
G:\
Scan Statistics
Total number of scanned objects 63502
Number of viruses found 4
Number of infected objects 11
Number of suspicious objects 0
Duration of the scan process 01:04:28
Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\cert8.db Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\extensions\{6BFD307A-C040-11DA-9749-FB1C850B47DF}\db.sqlite Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\formhistory.dat Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\history.dat Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\key3.db Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\parent.lock Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\search.sqlite Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Mozilla\Firefox\Profiles\default.qle\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text/[From Tsee Yuan Lee ][Date Sun, 09 Apr 2006 01:30:45 -0400]/text/[From Tsee Yuan Lee ][Date Wed, 24 May 2006 08:10:15 -0400]/UNNAMED/[From Tsee Yuan Lee ][Date Fri, 30 Jun 2006 14:36:18 -0400]/eicar_com.zip/eicar.com Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text/[From Tsee Yuan Lee ][Date Sun, 09 Apr 2006 01:30:45 -0400]/text/[From Tsee Yuan Lee ][Date Wed, 24 May 2006 08:10:15 -0400]/UNNAMED/[From Tsee Yuan Lee ][Date Fri, 30 Jun 2006 14:36:18 -0400]/eicar_com.zip Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text/[From Tsee Yuan Lee ][Date Sun, 09 Apr 2006 01:30:45 -0400]/text/[From Tsee Yuan Lee ][Date Wed, 24 May 2006 08:10:15 -0400]/UNNAMED Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text/[From Tsee Yuan Lee ][Date Sun, 09 Apr 2006 01:30:45 -0400]/text Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent/[From Tsee Yuan Lee ][Date Tue, 17 Jan 2006 20:51:22 -0500]/text Infected: EICAR-Test-File skipped
C:\Documents and Settings\tyl2\Application Data\Thunderbird\Profiles\4pm4lxur.slt\Mail\Local Folders\Sent Mail Berkeley mbox: infected - 5 skipped
C:\Documents and Settings\tyl2\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\DoctorWeb\Quarantine\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Documents and Settings\tyl2\DoctorWeb\Quarantine\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Documents and Settings\tyl2\DoctorWeb\Quarantine\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.qle\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.qle\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.qle\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.qle\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\History\History.IE5\MSHist012007091920070920\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\tyl2\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tyl2\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\tyl2\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Mozy\Config\conf.dat Object is locked skipped
C:\Program Files\Mozy\Data\mozy.log Object is locked skipped
C:\Storage\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Storage\mirc617.exe mIRC: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TSEEYUAN.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{07488347-4680-4503-832B-5478B7357F1E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd7501.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_620.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
clamenza
2007-09-20, 03:22
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:36 PM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\mainserv.exe
C:\Program Files\Mozy\mozybackup.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\DOCUME~1\tyl2\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://office.microsoft.com/en-us/officelive/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\JRE\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFree\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: APC UPS.lnk = ?
O4 - Global Startup: Explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: Firefox.lnk = C:\Program Files\Mozilla\Firefox\firefox.exe
O4 - Global Startup: KeyText.lnk = C:\Program Files\Keytext\KeyText.exe
O4 - Global Startup: Mozy.lnk = C:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: NotePro.lnk = C:\Program Files\NotePro\NotePro.exe
O4 - Global Startup: RSI.lnk = ?
O4 - Global Startup: ZoneLabs.lnk = C:\Program Files\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JRE\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JRE\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145849467296
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\mainserv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFree\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFree\avgupsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Freenet 0.7 darknet-8888 (freenet-darknet-8888) - Unknown owner - C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7435 bytes
Hello :)
Ok what is back? Is Spybot S&D finding virtumonde again?
There is something...
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
clamenza
2007-09-20, 20:43
No, spybot didn't find anything. I guess it was a temporary internet connection problem which made it seemed like the thing came back. I'll let you know if there's anything else.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: