View Full Version : Problem back-door trojan perfc000.dat
I have clean up most of the viruses that McAfee and Spybot
found on one of my computers but the perfc000.dat keeps poping up and being deleted every few seconds by McAfee.
I can not run Kaspersky scan because IE will not load. I am
using a USB drive to transfer programs for installation and log files to my non-infected PC. HJT follows..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:26 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\cmeadows\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {39D7900C-461D-86A5-81BA-CF35914FAC04} - (no file)
O2 - BHO: (no name) - {3E1500AC-87A5-416b-A211-82E848649DA9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5AF5C471-87BA-448F-F2B6-851A1516D4A8} - (no file)
O2 - BHO: (no name) - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - (no file)
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {CD5D4F49-F5FD-820A-DB0A-88ADAECD73B4} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe
--
End of file - 5306 bytes
Hello Cal626 and welcome to the Forums :)
You're infected.
One or more of the identified infections allows attackers to steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Thanks for helping,
Combofix has been at the "Deleting Files/Folders:" message
for over 15 minutes with no disk activity. The system
does not respond to anything and the desktop items are
all gone.
Hi again :)
Ok you may abort it then and restart the pc.
Check if there is a C:\ComboFix.txt file and post it to here if existed.
Then we'll try ComboFix in safe mode.
Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Try running ComboFix.
When ready, restart the normal mode and post the log to here :bigthumb:
Hi,
I ran it again in safe mode. This time I was able to see a message that said something about "not being able to access a file because it was being used by another process", just before the message about Deleting Files/Folders. There is no disk activity currently.
Hi Mr_JAk3,
I was finally able to run ComboFix successfully "in normal mode" by using msconfig to disable all startup programs. Log is below.
ComboFix 07-12-15.1 - cmeadows 2007-12-16 14:59:24.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.43 [GMT -5:00]
Running from: C:\Documents and Settings\cmeadows\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.
2007-12-14 14:23 . 2007-12-16 12:44 <DIR> d-------- C:\Renamed-qoobox
2007-12-09 18:52 . 2007-12-09 18:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 18:52 . 2007-12-09 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-09 18:50 . 2007-12-09 18:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-09 12:29 . 2007-08-20 05:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-09 12:29 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-09 12:29 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-09 12:29 . 2007-08-20 05:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-09 12:29 . 2007-08-20 05:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-09 12:29 . 2007-08-20 05:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-09 12:29 . 2007-08-20 05:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-09 12:29 . 2007-08-20 05:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-09 12:29 . 2007-08-17 05:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-09 12:19 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-08 15:06 . 2007-12-08 14:52 92,160 --a------ C:\f-sasser.exe
2007-12-07 22:08 . 2007-12-16 10:44 <DIR> d-------- C:\quarantine
2007-12-06 07:12 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-06 07:12 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-06 07:12 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-06 07:05 . 2007-12-06 07:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-05 23:20 . 2007-12-05 23:20 105 --a------ C:\WINDOWS\wininit.ini
2007-12-05 21:33 . 2007-12-11 12:20 512 --a------ C:\WINDOWS\randseed.rnd
2007-12-05 21:30 . 2007-12-05 21:30 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-12-05 21:30 . 2007-12-05 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2007-12-05 21:30 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-12-05 21:30 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2007-12-05 21:29 . 2007-12-05 21:30 <DIR> d-------- C:\Program Files\Network Associates
2007-12-05 21:29 . 2007-12-05 21:29 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2007-12-05 21:22 . 2006-12-07 01:40 2,362,184 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-12-05 21:21 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-05 21:12 . 2007-12-05 21:12 <DIR> d--hs---- C:\found.000
2007-12-05 21:00 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-05 21:00 . 2007-12-09 12:29 1,374 --a------ C:\WINDOWS\imsins.BAK
2007-12-05 19:03 . 2007-12-05 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 23:47 --------- d-----w C:\Program Files\Common Files\wuro
2007-12-07 22:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-06 02:55 --------- d-----w C:\Program Files\REGSHAVE
2007-12-06 02:55 --------- d-----w C:\Program Files\QuickTime
2007-12-06 01:54 279 ----a-w C:\Program Files\Common Files\lafun
2006-08-26 14:57 232 -c--a-w C:\Documents and Settings\HP_Owner\jkjkj.bat
2006-08-12 06:13 186 -c--a-w C:\Documents and Settings\HP_Owner\n.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D7900C-461D-86A5-81BA-CF35914FAC04}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E1500AC-87A5-416b-A211-82E848649DA9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AF5C471-87BA-448F-F2B6-851A1516D4A8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{943CBD6C-F4DE-40e4-AA43-7B964FAE81F1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD5D4F49-F5FD-820A-DB0A-88ADAECD73B4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-12-31 07:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
C:\WINDOWS\system32\taskswitch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2002-12-31 07:00 15360 --a--c--- C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe /StartedFromRunKey
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
2003-10-07 09:48 147514 --a------ C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE /STANDALONE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrunwin]
C:\WINDOWS\svchost.exe
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-04-09 19:35:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 15:01:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-16 15:02:00
.
2007-12-11 21:32:37 --- E O F ---
Hi, we'll continue ;)
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\HP_Owner\jkjkj.bat
C:\Documents and Settings\HP_Owner\n.bat
C:\WINDOWS\svchost.exe
Folder::
C:\Program Files\Common Files\wuro
C:\Program Files\Common Files\lafun
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D7900C-461D-86A5-81BA-CF35914FAC04}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E1500AC-87A5-416b-A211-82E848649DA9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AF5C471-87BA-448F-F2B6-851A1516D4A8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{943CBD6C-F4DE-40e4-AA43-7B964FAE81F1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD5D4F49-F5FD-820A-DB0A-88ADAECD73B4}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrunwin]
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Hi,
I did as you said. It appears hung again at "Deleting Files/Folders". Does the desktop (explorer), go away when ComboFix is running?
Hi Again,
I think I found a way to recover without ending ComboFix. Here is the log.
ComboFix 07-12-15.1 - cmeadows 2007-12-17 8:53:57.9 - NTFSx86
Running from: C:\Documents and Settings\cmeadows\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\cmeadows\Desktop\CFScript
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\lafun\
C:\Program Files\Common Files\wuro
C:\Program Files\Common Files\wuro\wuroa.lck
C:\Program Files\Common Files\wuro\wurod\class-barrel
C:\Program Files\Common Files\wuro\wurod\vocabulary
C:\Program Files\Common Files\wuro\wuroh
C:\Program Files\Common Files\wuro\wurol.lck
C:\Program Files\Common Files\wuro\wurom.lck
C:\Program Files\Common Files\wuro\wurop.lck
.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.
2007-12-14 14:23 . 2007-12-16 12:44 <DIR> d-------- C:\Renamed-qoobox
2007-12-09 18:52 . 2007-12-09 18:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 18:52 . 2007-12-09 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-09 18:50 . 2007-12-09 18:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-09 12:29 . 2007-08-20 05:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-09 12:29 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-09 12:29 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-09 12:29 . 2007-08-20 05:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-09 12:29 . 2007-08-20 05:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-09 12:29 . 2007-08-20 05:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-09 12:29 . 2007-08-20 05:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-09 12:29 . 2007-08-20 05:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-09 12:29 . 2007-08-17 05:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-09 12:19 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-08 15:06 . 2007-12-08 14:52 92,160 --a------ C:\f-sasser.exe
2007-12-07 22:08 . 2007-12-16 10:44 <DIR> d-------- C:\quarantine
2007-12-06 07:12 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-06 07:12 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-06 07:12 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-06 07:05 . 2007-12-06 07:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-05 23:20 . 2007-12-05 23:20 105 --a------ C:\WINDOWS\wininit.ini
2007-12-05 21:33 . 2007-12-11 12:20 512 --a------ C:\WINDOWS\randseed.rnd
2007-12-05 21:30 . 2007-12-05 21:30 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-12-05 21:30 . 2007-12-05 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2007-12-05 21:30 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-12-05 21:30 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2007-12-05 21:29 . 2007-12-05 21:30 <DIR> d-------- C:\Program Files\Network Associates
2007-12-05 21:29 . 2007-12-05 21:29 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2007-12-05 21:22 . 2006-12-07 01:40 2,362,184 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-12-05 21:21 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-05 21:12 . 2007-12-05 21:12 <DIR> d--hs---- C:\found.000
2007-12-05 21:00 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-05 21:00 . 2007-12-09 12:29 1,374 --a------ C:\WINDOWS\imsins.BAK
2007-12-05 19:03 . 2007-12-05 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 22:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-06 02:55 --------- d-----w C:\Program Files\REGSHAVE
2007-12-06 02:55 --------- d-----w C:\Program Files\QuickTime
2007-12-06 01:54 279 ----a-w C:\Program Files\Common Files\lafun
2006-08-26 14:57 232 -c--a-w C:\Documents and Settings\HP_Owner\jkjkj.bat
2006-08-12 06:13 186 -c--a-w C:\Documents and Settings\HP_Owner\n.bat
.
((((((((((((((((((((((((((((( snapshot@2007-12-16_15.01.16.62 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-12-31 07:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
C:\WINDOWS\system32\taskswitch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2002-12-31 07:00 15360 --a--c--- C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe /StartedFromRunKey
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
2003-10-07 09:48 147514 --a------ C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE /STANDALONE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-04-09 19:35:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 09:09:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-17 9:10:20
C:\ComboFix2.txt ... 2007-12-16 15:02
.
2007-12-11 21:32:37 --- E O F ---
Hi, Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:22 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\cmeadows\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe
--
End of file - 3204 bytes
The HJT.
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} -
Open HijackThis.
Open the Misc Tools section
Delete a file on Reboot
Copy the following line to the filenamebox and press Open; C:\Documents and Settings\HP_Owner\jkjkj.bat
Answer "No" to the reboot prompt
Copy the following line to the filenamebox and press Open; C:\Documents and Settings\HP_Owner\n.bat
Answer Yes
Reboot the computer if it isn't restarted automatically
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Hi, The DrWeb.csv file..
AP2.htm;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp;VBS.Psyme.239;Deleted.;
AP54.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp;Trojan.DownLoader.8290;Deleted.;
perfc000.dat.Vir;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.0;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.1;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.10;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.11;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.12;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.13;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.14;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.15;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.16;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.17;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.18;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.19;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.2;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.20;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.21;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.22;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.23;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.24;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.25;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.26;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.27;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.28;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.29;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.3;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.30;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.31;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.32;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.33;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.34;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.35;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.36;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.37;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.38;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.39;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.4;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.40;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.41;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.42;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.43;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.44;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.45;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.46;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.47;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.48;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.49;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.5;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.50;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.51;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.52;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.53;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.54;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.55;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.56;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.57;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.58;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.59;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.6;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.60;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.61;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.62;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.63;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.64;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.65;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.66;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.67;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.68;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.69;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.7;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.70;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.71;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.72;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.73;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.74;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.75;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.76;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.77;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.78;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.79;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.8;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.80;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.81;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.82;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.83;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.84;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.85;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.86;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.87;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.88;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.89;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.9;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.90;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.91;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.92;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.93;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.Vir.94;C:\quarantine;Trojan.Proxy.1739;Deleted.;
perfc000.dat.vir;C:\Renamed-qoobox\Quarantine\C\WINDOWS\system32;Trojan.Proxy.1739;Deleted.;
A0000160.exe\data001;C:\System Volume Information\_restore{BD5DE0FE-1348-42ED-A138-3F2F28E2F812}\RP3\A0000160.exe;Adware.Mirarbar;;
A0000160.exe\data002;C:\System Volume Information\_restore{BD5DE0FE-1348-42ED-A138-3F2F28E2F812}\RP3\A0000160.exe;Adware.Mirarbar;;
A0000160.exe;C:\System Volume Information\_restore{BD5DE0FE-1348-42ED-A138-3F2F28E2F812}\RP3;Archive contains infected objects;Moved.;
A0002308.exe;C:\System Volume Information\_restore{BD5DE0FE-1348-42ED-A138-3F2F28E2F812}\RP6;Trojan.DownLoader.8290;Deleted.;
psshutdown.exe;C:\WINDOWS\system32;Tool.Reboot;Moved.;
swinsndv.exe;C:\WINDOWS\system32;Adware.Hotbot.origin;Moved.;
The HJT file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:41 AM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cmeadows\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E9F4859-A1B6-4238-95CF-3FD8CB99BAE4}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe
--
End of file - 4120 bytes
Hello :)
Looks pretty good now. How is the pc running? :santa:
Hi,
The PC is running faster now and IE seems to be working but have not yet connected the PC to the internet yet. I will do so now and then get MS updates.
Thank You, Thank You, Thank You.
:santa:
All of this was done in my account. Will the Administrator account also be free of the nasties?
Thanks Again.
Hi :)
Does your account have administrative rights? If not, then you could run one virusscan on the other account too.
Post the findings if something is found. :bigthumb:
Yes, my account has administrative rights. A virusscan found nothing.
Thanks Again.
Ok great :)
You can remove the tools we used.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)