View Full Version : Virtumonde infected computer PLEASE HELP
Hi,
I ran Spybot S/D and it show's Virtumonde as having infected my computer. I reran Spybot after restarting and it still appeared.
Let me know if there is anything else you need. Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:04 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Interwise\Student\pull.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mercer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.mercer.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MXDA] C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [MMCAddinProtector] C:\Program Files\MMC\Office Automation\Protector\MMCAddinProtector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\pjdqiqyh.dll",sitypnow
O4 - HKUS\S-1-5-18\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User 'Default user')
O4 - .DEFAULT User Startup: SetPowerScheme.lnk = C:\WINDOWS\system32\wscript.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Access Manager Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O4 - Global Startup: Push Client.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.mercer.com
O15 - Trusted Zone: *.mercer.com
O15 - Trusted Zone: *.mercer.com (HKLM)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\Software\..\Telephony: DomainName = mercer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercer.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteje.html
--
End of file - 7699 bytes
THANKS!
Hi nahs003
Rename HijackThis.exe to nahs.exe and post back a fresh HijackThis log, please :)
Renamed to nahs.exe. Here is the new log (Thanks for the help!!)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:49 AM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Interwise\Student\pull.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\nahs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mercer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.mercer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} - C:\WINDOWS\system32\ddcbxyx.dll
O2 - BHO: 0 - {2F6CEAD2-3D30-479E-EAB9-D3CCE2EFFABD} - C:\Program Files\ComPlus Applications\quza.dll (file missing)
O2 - BHO: (no name) - {41B47DE5-B789-4D42-9585-0EEA42E45251} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {65E8479F-B994-47B2-BFAA-16E881391317} - C:\Program Files\Outlook Express\menozuge4444.dll (file missing)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\qfcwhtyx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {EC8FB64C-D6C9-4E4D-B1BD-2D6B430F949F} - C:\Program Files\Outlook Express\menozuge83122.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MXDA] C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [MMCAddinProtector] C:\Program Files\MMC\Office Automation\Protector\MMCAddinProtector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\pjdqiqyh.dll",sitypnow
O4 - HKUS\S-1-5-18\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User 'Default user')
O4 - .DEFAULT User Startup: SetPowerScheme.lnk = C:\WINDOWS\system32\wscript.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Access Manager Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O4 - Global Startup: Push Client.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.mercer.com
O15 - Trusted Zone: *.mercer.com
O15 - Trusted Zone: *.mercer.com (HKLM)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\Software\..\Telephony: DomainName = mercer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercer.com
O20 - Winlogon Notify: ddcbxyx - C:\WINDOWS\SYSTEM32\ddcbxyx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteje.html
--
End of file - 8885 bytes
Hi
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- vundofix report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:50, on 2007-10-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Interwise\Student\pull.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\nahs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mercer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.mercer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {2F6CEAD2-3D30-479E-EAB9-D3CCE2EFFABD} - C:\Program Files\ComPlus Applications\quza.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {65E8479F-B994-47B2-BFAA-16E881391317} - C:\Program Files\Outlook Express\menozuge4444.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {B4811CA3-1A2B-49C0-8BA4-44F473E2A5CC} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: (no name) - {EC8FB64C-D6C9-4E4D-B1BD-2D6B430F949F} - C:\Program Files\Outlook Express\menozuge83122.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MXDA] C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [MMCAddinProtector] C:\Program Files\MMC\Office Automation\Protector\MMCAddinProtector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User 'Default user')
O4 - .DEFAULT User Startup: SetPowerScheme.lnk = C:\WINDOWS\system32\wscript.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Access Manager Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O4 - Global Startup: Push Client.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.mercer.com
O15 - Trusted Zone: *.mercer.com
O15 - Trusted Zone: *.mercer.com (HKLM)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\Software\..\Telephony: DomainName = mercer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercer.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
--
End of file - 8699 bytes
ComboFix 07-10-11.1 - shan-fernando 2007-10-10 21:04:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.532 [GMT -7:00]
Running from: C:\Documents and Settings\Shan-Fernando\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\ComPlus Applications\rteje.html
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\b2
C:\WINDOWS\system32\ddcbxyx.dll
C:\WINDOWS\system32\urqnklj.dll
C:\WINDOWS\system32\z3
C:\WINDOWS\system32\z3\gbb83122.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.
2007-10-10 21:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 20:45 <DIR> d-------- C:\VundoFix Backups
2007-10-09 11:34 <DIR> d-------- C:\Program Files\iTunes
2007-10-09 11:34 <DIR> d-------- C:\Program Files\iPod
2007-10-08 16:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 15:35 225,280 --a------ C:\WINDOWS\system32\DWRCSET.DLL
2007-10-08 15:35 208,384 --a------ C:\WINDOWS\system32\DWRCS.EXE
2007-10-08 15:35 75,776 --a------ C:\WINDOWS\system32\DWRCShell64.dll
2007-10-08 15:35 71,680 --a------ C:\WINDOWS\system32\DWRCST.EXE
2007-10-08 15:35 69,632 --a------ C:\WINDOWS\system32\DWRCShell.dll
2007-10-08 15:35 53,248 --a------ C:\WINDOWS\system32\DWRCK.DLL
2007-10-07 21:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2007-10-07 21:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2007-10-07 21:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2007-10-07 21:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-10-06 12:18 <DIR> d-------- C:\quarantine
2007-10-06 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-05 12:17 513,567 ---hs---- C:\WINDOWS\system32\qqtwa.bak2
2007-10-04 00:16 1,326,780 ---hs---- C:\WINDOWS\system32\qqtwa.bak1
2007-10-04 00:16 319,584 --a------ C:\WINDOWS\system32\awtqq.dll
2007-10-04 00:14 <DIR> d-------- C:\Program Files\Temporary
2007-10-04 00:11 <DIR> d--hs---- C:\WINDOWS\TWVyY2VyIEh1bWFuIFJlc291cmNlIENvbnN1bHRpbmc
2007-10-04 00:11 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-04 00:11 <DIR> d-------- C:\WINDOWS\system32\sz1
2007-10-04 00:11 <DIR> d-------- C:\Temp\xOe
2007-10-03 14:56 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-02 16:27 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-10-02 11:22 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-02 11:21 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-02 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-27 21:00 <DIR> d-------- C:\Program Files\DivX
2007-09-25 09:27 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-09-25 09:27 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-09-14 09:36 <DIR> d-------- C:\Program Files\MSXML 6.0
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 03:41 --------- d-----w C:\Documents and Settings\Shan-Fernando\Application Data\.purple
2007-10-08 06:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 18:37 --------- d-----w C:\Program Files\Google
2007-10-04 20:05 --------- d-----w C:\Documents and Settings\Shan-Fernando\Application Data\Apple Computer
2007-10-02 18:23 --------- d-----w C:\Program Files\QuickTime
2007-10-02 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-12 16:03 --------- d-----w C:\Program Files\Mercer
2007-08-28 16:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-28 16:57 --------- d-----w C:\Program Files\McAfee
2007-08-28 16:57 --------- d-----w C:\Program Files\Common Files\McAfee Inc
2007-08-28 16:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-08-28 16:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-08-27 18:59 --------- d-----w C:\Program Files\Southwest Airlines
2007-08-27 18:59 --------- d-----w C:\Documents and Settings\Shan-Fernando\Application Data\Southwest Airlines
2007-08-15 07:44 --------- d-----w C:\Documents and Settings\Shan-Fernando\Application Data\gtk-2.0
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\TWVyY2VyIEh1bWFuIFJlc291cmNlIENvbnN1bHRpbmc\nqpVsZpVKH1YvqIRKIL5wZ6YwAh5KHhSvBhYvJlDvAw.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F6CEAD2-3D30-479E-EAB9-D3CCE2EFFABD}]
C:\Program Files\ComPlus Applications\quza.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65E8479F-B994-47B2-BFAA-16E881391317}]
C:\Program Files\Outlook Express\menozuge4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAA795FA-8764-4004-A6EE-C96C9E3A2A0F}]
2007-10-04 00:16 319584 --a------ C:\WINDOWS\system32\awtqq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC8FB64C-D6C9-4E4D-B1BD-2D6B430F949F}]
C:\Program Files\Outlook Express\menozuge83122.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 12:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 12:16]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 05:11]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"MXDA"="C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe" [2005-10-20 18:08]
"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 15:36 C:\WINDOWS\system32\ico.exe]
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [2007-06-28 11:23]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 17:25]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe" [2005-02-24 14:09]
"MMCAddinProtector"="C:\Program Files\MMC\Office Automation\Protector\MMCAddinProtector.exe" [2007-07-11 01:40]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NCLaunch"=C:\WINDOWS\NCLAUNCH.EXe
C:\Documents and Settings\Shan-Fernando\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Access Manager Client.lnk - C:\WINDOWS\Installer\{9FAD4AF9-68DB-4AD1-85D4-03E06B0E388A}\AccessManStartup.exe [2007-05-30 12:34:08]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
McAfee Host Intrusion Prevention Tray.lnk - C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe [2007-08-28 09:57:40]
Push Client.lnk - C:\WINDOWS\Installer\{892B84C6-D06D-4423-A4F9-AE1F5575D165}\Icon892B84C6.exe [2007-06-04 08:34:22]
VPN Client.lnk - C:\WINDOWS\Installer\{B8221906-224A-4494-BB97-55FC63740019}\Icon3E5562ED7.ico [2007-05-30 12:31:13]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoManageMyComputerVerb"=1 (0x1)
"NoHardwareTab"=1 (0x1)
"PromptRunasInstallNetPath"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoSetTaskbar"=1 (0x1)
"NoFavoritesMenu"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoPropertiesMyComputer"=1 (0x1)
"NoPropertiesMyDocuments"=1 (0x1)
"NoNetworkConnections"=1 (0x1)
"DisablePersonalDirChange"=1 (0x1)
"NoSMMyDocs"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoThumbnailCache"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoStartMenuMFUprogramsList"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"NoStartMenuNetworkPlaces"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoAutoUpdate"=1 (0x1)
"DisallowCpl"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtqq.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2140084481-2073829295-449275081-140507\Scripts\Logon\0\0]
"Script"=US_S_LOU_script.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2140084481-2073829295-449275081-19062\Scripts\Logon\0\0]
"Script"=US_W_SFO_Login.vbs
R0 FirePM;McAfee HIP Component FirePM;C:\WINDOWS\system32\Drivers\FirePM.sys
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys
R0 SBAlg;SBAlg;C:\WINDOWS\system32\drivers\SBAlg.sys
R1 FireHook;McAfee HIP Component FireHook;\??\C:\WINDOWS\system32\Drivers\Firehk5x.sys
R1 FireTDI;McAfee HIP Component FireTDI;\??\C:\WINDOWS\system32\Drivers\FireTDI.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys
R1 SBFlop;SBFlop;C:\WINDOWS\system32\drivers\SBFlop.sys
R1 SbPrcCtl;SbPrcCtl;C:\WINDOWS\system32\drivers\SbPrcCtl.sys
R2 CCMEXEC;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;"C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe"
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;C:\Program Files\SafeBoot\SBMGRNT.EXE
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
R3 firelm01;firelm01;\??\C:\WINDOWS\system32\drivers\firelm01.sys
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
S3 NWUSBModem;Novatel Wireless USB Modem Driver;C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
S3 NWUSBPort;Novatel Wireless USB Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser.sys
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys
S3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1F73C5C7-4B6C-497F-932E-05FAEC9B1658}]
msiexec /fu {1F73C5C7-4B6C-497F-932E-05FAEC9B1658}
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66612A52-0092-4139-991B-456A06FC1DF6}]
msiexec /fu {66612A52-0092-4139-991B-456A06FC1DF6}
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{72F335EE-5E2E-47C1-BA0D-9B2BE612F336}]
msiexec.exe /f {72F335EE-5E2E-47C1-BA0D-9B2BE612F336} /qb
.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 21:20:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 21:09:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-10 21:11:15 - machine was rebooted
.
--- E O F ---
VundoFix V6.5.9
Checking Java version...
Scan started at 8:45:49 PM 10/10/2007
Listing files found while scanning....
C:\WINDOWS\system32\igjpoqlv.ini
C:\WINDOWS\system32\qfcwhtyx.dll
C:\WINDOWS\system32\vlqopjgi.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\igjpoqlv.ini
C:\WINDOWS\system32\igjpoqlv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\qfcwhtyx.dll
C:\WINDOWS\system32\qfcwhtyx.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\vlqopjgi.dll
C:\WINDOWS\system32\vlqopjgi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\qfcwhtyx.dll
C:\WINDOWS\system32\qfcwhtyx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vlqopjgi.dll
C:\WINDOWS\system32\vlqopjgi.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.9
Checking Java version...
Scan started at 8:54:33 PM 10/10/2007
Listing files found while scanning....
No infected files were found.
Hi
Have you set these by yourself?
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoManageMyComputerVerb"=1 (0x1)
"NoHardwareTab"=1 (0x1)
"PromptRunasInstallNetPath"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoSetTaskbar"=1 (0x1)
"NoFavoritesMenu"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoPropertiesMyComputer"=1 (0x1)
"NoPropertiesMyDocuments"=1 (0x1)
"NoNetworkConnections"=1 (0x1)
"DisablePersonalDirChange"=1 (0x1)
"NoSMMyDocs"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoThumbnailCache"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoStartMenuMFUprogramsList"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"NoStartMenuNetworkPlaces"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoAutoUpdate"=1 (0x1)
"DisallowCpl"=1 (0x1)
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\qqtwa.bak2
C:\WINDOWS\system32\qqtwa.bak1
C:\WINDOWS\system32\awtqq.dll
Folder::
C:\WINDOWS\TWVyY2VyIEh1bWFuIFJlc291cmNlIENvbnN1bHRpbmc
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\sz1
C:\Temp\xOe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F6CEAD2-3D30-479E-EAB9-D3CCE2EFFABD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65E8479F-B994-47B2-BFAA-16E881391317}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAA795FA-8764-4004-A6EE-C96C9E3A2A0F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC8FB64C-D6C9-4E4D-B1BD-2D6B430F949F}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
ComboFix 07-10-11.1 - shan-fernando 2007-10-11 12:32:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.385 [GMT -7:00]
Running from: C:\Documents and Settings\Shan-Fernando\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shan-Fernando\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\qqtwa.bak1
C:\WINDOWS\system32\qqtwa.bak2
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\qqtwa.bak1
C:\WINDOWS\system32\qqtwa.bak2
C:\WINDOWS\system32\sz1
C:\WINDOWS\system32\sz1\rw1000dr.exe
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\TWVyY2VyIEh1bWFuIFJlc291cmNlIENvbnN1bHRpbmc
C:\WINDOWS\TWVyY2VyIEh1bWFuIFJlc291cmNlIENvbnN1bHRpbmc\nqpVsZpVKH1YvqIRKIL5wZ6YwAh5KHhSvBhYvJlDvAw.vbs
.
((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.
2007-10-11 10:12 <DIR> d-------- C:\Documents and Settings\Shan-Fernando\Application Data\ICAClient
2007-10-10 21:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 20:45 <DIR> d-------- C:\VundoFix Backups
2007-10-09 11:34 <DIR> d-------- C:\Program Files\iTunes
2007-10-09 11:34 <DIR> d-------- C:\Program Files\iPod
2007-10-08 16:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 15:35 225,280 --a------ C:\WINDOWS\system32\DWRCSET.DLL
2007-10-08 15:35 208,384 --a------ C:\WINDOWS\system32\DWRCS.EXE
2007-10-08 15:35 75,776 --a------ C:\WINDOWS\system32\DWRCShell64.dll
2007-10-08 15:35 71,680 --a------ C:\WINDOWS\system32\DWRCST.EXE
2007-10-08 15:35 69,632 --a------ C:\WINDOWS\system32\DWRCShell.dll
2007-10-08 15:35 53,248 --a------ C:\WINDOWS\system32\DWRCK.DLL
2007-10-07 21:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2007-10-07 21:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2007-10-07 21:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2007-10-07 21:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-10-06 12:18 <DIR> d-------- C:\quarantine
2007-10-06 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-04 00:14 <DIR> d-------- C:\Program Files\Temporary
2007-10-03 14:56 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-02 16:27 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-10-02 11:22 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-02 11:21 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-02 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-27 21:00 <DIR> d-------- C:\Program Files\DivX
2007-09-25 09:27 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-09-25 09:27 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-09-14 09:36 <DIR> d-------- C:\Program Files\MSXML 6.0
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 03:41 --------- d-----w C:\Documents and Settings\Shan-Fernando\Application Data\.purple
2007-10-08 06:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 18:37 --------- d-----w C:\Program Files\Google
2007-10-04 20:05 --------- d-----w C:\Documents and Settings\Shan-Fernando\Application Data\Apple Computer
2007-10-02 18:23 --------- d-----w C:\Program Files\QuickTime
2007-10-02 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-12 16:03 --------- d-----w C:\Program Files\Mercer
2007-08-28 16:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-28 16:57 --------- d-----w C:\Program Files\McAfee
2007-08-28 16:57 --------- d-----w C:\Program Files\Common Files\McAfee Inc
2007-08-28 16:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-08-28 16:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-08-27 18:59 --------- d-----w C:\Program Files\Southwest Airlines
2007-08-27 18:59 --------- d-----w C:\Documents and Settings\Shan-Fernando\Application Data\Southwest Airlines
2007-08-15 07:44 --------- d-----w C:\Documents and Settings\Shan-Fernando\Application Data\gtk-2.0
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 12:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 12:16]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 05:11]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"MXDA"="C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe" [2005-10-20 18:08]
"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 15:36 C:\WINDOWS\system32\ico.exe]
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [2007-06-28 11:23]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 17:25]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe" [2005-02-24 14:09]
"MMCAddinProtector"="C:\Program Files\MMC\Office Automation\Protector\MMCAddinProtector.exe" [2007-07-11 01:40]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NCLaunch"=C:\WINDOWS\NCLAUNCH.EXe
C:\Documents and Settings\Shan-Fernando\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Access Manager Client.lnk - C:\WINDOWS\Installer\{9FAD4AF9-68DB-4AD1-85D4-03E06B0E388A}\AccessManStartup.exe [2007-05-30 12:34:08]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
McAfee Host Intrusion Prevention Tray.lnk - C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe [2007-08-28 09:57:40]
Push Client.lnk - C:\WINDOWS\Installer\{892B84C6-D06D-4423-A4F9-AE1F5575D165}\Icon892B84C6.exe [2007-06-04 08:34:22]
VPN Client.lnk - C:\WINDOWS\Installer\{B8221906-224A-4494-BB97-55FC63740019}\Icon3E5562ED7.ico [2007-05-30 12:31:13]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoManageMyComputerVerb"=1 (0x1)
"NoHardwareTab"=1 (0x1)
"PromptRunasInstallNetPath"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoSetTaskbar"=1 (0x1)
"NoFavoritesMenu"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoPropertiesMyComputer"=1 (0x1)
"NoPropertiesMyDocuments"=1 (0x1)
"NoNetworkConnections"=1 (0x1)
"DisablePersonalDirChange"=1 (0x1)
"NoSMMyDocs"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoThumbnailCache"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoStartMenuMFUprogramsList"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"NoStartMenuNetworkPlaces"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoAutoUpdate"=1 (0x1)
"DisallowCpl"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2140084481-2073829295-449275081-140507\Scripts\Logon\0\0]
"Script"=US_W_SFO_Login.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2140084481-2073829295-449275081-19062\Scripts\Logon\0\0]
"Script"=US_W_SFO_Login.vbs
R0 FirePM;McAfee HIP Component FirePM;C:\WINDOWS\system32\Drivers\FirePM.sys
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys
R0 SBAlg;SBAlg;C:\WINDOWS\system32\drivers\SBAlg.sys
R1 FireHook;McAfee HIP Component FireHook;\??\C:\WINDOWS\system32\Drivers\Firehk5x.sys
R1 FireTDI;McAfee HIP Component FireTDI;\??\C:\WINDOWS\system32\Drivers\FireTDI.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys
R1 SBFlop;SBFlop;C:\WINDOWS\system32\drivers\SBFlop.sys
R1 SbPrcCtl;SbPrcCtl;C:\WINDOWS\system32\drivers\SbPrcCtl.sys
R2 CCMEXEC;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;"C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe"
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;C:\Program Files\SafeBoot\SBMGRNT.EXE
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
R3 firelm01;firelm01;\??\C:\WINDOWS\system32\drivers\firelm01.sys
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
S3 NWUSBModem;Novatel Wireless USB Modem Driver;C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
S3 NWUSBPort;Novatel Wireless USB Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser.sys
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys
S3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1F73C5C7-4B6C-497F-932E-05FAEC9B1658}]
msiexec /fu {1F73C5C7-4B6C-497F-932E-05FAEC9B1658}
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66612A52-0092-4139-991B-456A06FC1DF6}]
msiexec /fu {66612A52-0092-4139-991B-456A06FC1DF6}
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{72F335EE-5E2E-47C1-BA0D-9B2BE612F336}]
msiexec.exe /f {72F335EE-5E2E-47C1-BA0D-9B2BE612F336} /qb
.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 21:20:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 12:36:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-11 12:36:52 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-10 21:11
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39, on 2007-10-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Interwise\Student\pull.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\nahs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mercer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.mercer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MXDA] C:\Program Files\Mercer\Global Peer Review\Mxda\mxda.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [MMCAddinProtector] C:\Program Files\MMC\Office Automation\Protector\MMCAddinProtector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User 'Default user')
O4 - .DEFAULT User Startup: SetPowerScheme.lnk = C:\WINDOWS\system32\wscript.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Access Manager Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O4 - Global Startup: Push Client.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.mercer.com
O15 - Trusted Zone: *.mercer.com
O15 - Trusted Zone: *.mercer.com (HKLM)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercer.com
O17 - HKLM\Software\..\Telephony: DomainName = mercer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercer.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
--
End of file - 8318 bytes
Hi
Perform kaspersky online scan as instructed here (http://forums.spybot.info/showpost.php?p=1150&postcount=2)
Post:
- a fresh HijackThis log
- kaspersky reprt
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.