View Full Version : I Cannot Remove Smitfraud
mcguiret
2008-02-23, 03:05
I've tried for a while to get rid of this thing. I've tried all the spyware tools and also general instructions such as running SmitfraudFix.exe but to no avail. Here are my HJT and KAV logs. Let me thank you in advance for your help.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 22, 2008 7:14:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/02/2008
Kaspersky Anti-Virus database records: 576071
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 52364
Number of viruses found: 6
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 00:43:31
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output\tmcguire\~Running.ping Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\SMSCliToknLocalAcct&\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SMSCliToknLocalAcct&\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\svcSMS\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\svcSMS\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-402ffcaf.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-402ffcaf.zip ZIP: infected - 1 skipped
C:\Documents and Settings\tmcguire\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\tmcguire\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\tmcguire\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\tmcguire\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\tmcguire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Temp\Perflib_Perfdata_b0c.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Temp\~DFC702.tmp Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tmcguire\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\tmcguire\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Remote Services\WENGINE\dbgtrace.log Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20080222.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-47a712ef.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-47a712ef.zip ZIP: infected - 1 skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-4de34aa1.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-4de34aa1.zip ZIP: infected - 1 skipped
C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\nsr1A.tmp/mobjchku.exe Infected: not-a-virus:AdWare.Win32.BHO.xv skipped
C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\nsr1A.tmp ZIP: infected - 1 skipped
C:\TEMP\oldprofile\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\6LAT0HKZ\wavvsnet[1].exe Infected: Trojan-Downloader.Win32.Small.hcu skipped
C:\VNCTEMP\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\tosdvdd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_bf0.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\TIMET Laptop\Spyware\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\TIMET Laptop\Spyware\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\TIMET Laptop\Spyware\SmitfraudFix.exe RarSFX: infected - 2 skipped
F:\TIMET Laptop\Spyware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:45 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\program files\cisco systems\vpn client\cvpnd.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\TEMP\QO5A87.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Adobe\Distillr\AcroDist.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\msupdtck.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Adobe\Acrobat\acrobat_sl.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.timet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TIMET usnpx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://denprx1.timet.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.timet.com;10.*.*.*;192.168.*.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [o2klang] c:\windows\langver.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" "/0015c51fa28d" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [internat] internat.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [mssdbsrv] C:\WINDOWS\system32\msupdtck.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\RunOnce: [RunOnce] c:\windows\oem\runonce.bat (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-725345543-44281\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\cisco systems\vpn client\vpngui.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://den2khri1:100/codebase/svinstall_a_stat.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1) - http://den2khri1:100/codebase/j2re-1_3_1-win.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.timet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.timet.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\program files\cisco systems\vpn client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10542 bytes
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
----------------------------------------------------------------------------------------
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
c:\windows\langver.exe
Click Submit/Send File
Please post back, to let me know the results.
Please do the same for the following file
C:\WINDOWS\system32\msupdtck.exe
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Installed Programs
Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
mcguiret
2008-02-25, 03:03
File langver.exe received on 02.25.2008 02:35:03 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 7.
Estimated start time is between 57 and 81 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.24 -
Authentium 4.93.8 2008.02.24 -
Avast 4.7.1098.0 2008.02.24 -
AVG 7.5.0.516 2008.02.24 -
BitDefender 7.2 2008.02.25 -
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.25 -
DrWeb 4.44.0.09170 2008.02.24 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5557 2008.02.23 -
Ewido 4.0 2008.02.24 -
FileAdvisor 1 2008.02.25 -
Fortinet 3.14.0.0 2008.02.24 -
F-Prot 4.4.2.54 2008.02.24 -
F-Secure 6.70.13260.0 2008.02.25 -
Ikarus T3.1.1.20 2008.02.25 -
Kaspersky 7.0.0.125 2008.02.25 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.24 -
NOD32v2 2898 2008.02.23 -
Norman 5.80.02 2008.02.22 -
Panda 9.0.0.4 2008.02.25 -
Prevx1 V2 2008.02.25 -
Rising 20.32.62.00 2008.02.24 -
Sophos 4.26.0 2008.02.24 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.25 -
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.24 -
Webwasher-Gateway 6.6.2 2008.02.24 -
Additional information
File size: 163435 bytes
MD5: be7dfdade13e3f2c8578940235a6b8fe
SHA1: b0daa40beb4e6fd63620379d62e638ab3edee5b4
PEiD: Armadillo v1.71
File msupdtck.exe received on 02.25.2008 02:41:07 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 10/32 (31.25%)
Loading server information...
Your file is queued in position: 8.
Estimated start time is between 60 and 86 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.24 TR/PSW.Stealer.125440.2
Authentium 4.93.8 2008.02.24 -
Avast 4.7.1098.0 2008.02.24 -
AVG 7.5.0.516 2008.02.24 SHeur.AIKB
BitDefender 7.2 2008.02.25 DeepScan:Generic.PWStealer.C3D3F502
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.25 -
DrWeb 4.44.0.09170 2008.02.24 -
eSafe 7.0.15.0 2008.02.21 suspicious Trojan/Worm
eTrust-Vet 31.3.5557 2008.02.23 -
Ewido 4.0 2008.02.24 -
FileAdvisor 1 2008.02.25 High threat detected
Fortinet 3.14.0.0 2008.02.24 -
F-Prot 4.4.2.54 2008.02.24 -
F-Secure 6.70.13260.0 2008.02.25 -
Ikarus T3.1.1.20 2008.02.25 Generic.PWStealer
Kaspersky 7.0.0.125 2008.02.25 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.24 -
NOD32v2 2898 2008.02.23 -
Norman 5.80.02 2008.02.22 -
Panda 9.0.0.4 2008.02.25 Suspicious file
Prevx1 V2 2008.02.25 Generic.Malware
Rising 20.32.62.00 2008.02.24 -
Sophos 4.26.0 2008.02.24 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.25 Trojan Horse
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.24 -
Webwasher-Gateway 6.6.2 2008.02.24 Trojan.PSW.Stealer.125440.2
Additional information
File size: 125440 bytes
MD5: a00571b001104378f43f85dc6d0dc21d
SHA1: 65638b05c08fe7b441cda9862fd0fd96c0141bdd
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=a00571b001104378f43f85dc6d0dc21d
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=92E7B49A002A474DEABF01CAE72B8000BB85052A
mcguiret
2008-02-25, 03:06
ComboFix 08-02-25.2 - TMcGuire 2008-02-24 20:54:08.1 - NTFSx86
Running from: C:\Documents and Settings\tmcguire\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\tosdvdd.sys
C:\windows\system32\explorer.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_TOSDVDD
-------\tosdvdd
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.
2008-02-22 18:20 . 2008-02-22 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 17:34 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-22 17:34 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-22 17:34 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-22 17:34 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-22 17:34 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-22 17:34 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-22 17:34 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-22 15:16 . 2008-02-22 15:16 40,960 --a------ C:\WINDOWS\system32\rfhdfhw.exe
2008-02-22 15:16 . 2008-02-22 15:16 40,960 --a------ C:\WINDOWS\frtghef.exe
2008-02-22 00:31 . 2008-02-22 00:31 125,440 --a------ C:\WINDOWS\system32\msupdtck.exe
2008-02-22 00:31 . 2008-02-22 00:31 6,144 --a------ C:\Documents and Settings\tmcguire\Application Data\msvcrit.dll
2008-02-22 00:30 . 2008-02-22 02:03 13,312 --a------ C:\Documents and Settings\tmcguire\p4ck.exe
2008-02-22 00:30 . 2008-02-24 20:58 6,144 --a------ C:\WINDOWS\system32\msvcrit.dll
2008-02-21 23:50 . 2008-02-21 23:50 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-21 14:23 . 2008-02-21 14:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 14:16 . 2008-02-22 17:26 165 --a------ C:\WINDOWS\wininit.ini
2008-02-20 17:20 . 2008-02-22 16:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-20 17:19 . 2008-02-20 17:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 08:15 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-15 15:44 . 2008-02-15 15:44 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\PC Tools
2008-02-15 15:05 . 2008-02-14 21:24 610 --a------ C:\WINDOWS\wininit.sd
2008-02-15 15:05 . 2006-10-25 02:51 573 --a------ C:\WINDOWS\win.tmp
2008-02-15 15:05 . 2008-01-16 06:15 231 --a------ C:\WINDOWS\system.tmp
2008-02-15 14:46 . 2008-02-19 08:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-15 14:46 . 2008-02-24 20:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 14:46 . 2008-02-15 14:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-02-15 14:46 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-02-15 14:46 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-02-15 14:31 . 2008-02-15 14:42 <DIR> d-------- C:\TEMP\smitRem
2008-02-15 14:14 . 2008-02-15 14:14 <DIR> d-------- C:\Program Files\SwiftView
2008-02-15 14:13 . 2008-02-15 14:14 <DIR> d-------- C:\JavaSoft
2008-02-15 14:09 . 2003-02-23 02:05 60,448 --a------ C:\WINDOWS\system32\smsrc.cpl
2008-02-15 14:08 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\WINDOWS
2008-02-15 14:08 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\SapWorkDir
2008-02-15 14:08 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Intel
2008-02-15 14:08 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Citrix
2008-02-15 14:08 . 2003-02-23 02:05 38,944 --a------ C:\WINDOWS\system32\SMSCPL32.cpl
2008-02-15 14:07 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\WINDOWS
2008-02-15 14:07 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\SapWorkDir
2008-02-15 14:07 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Intel
2008-02-15 14:07 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Citrix
2008-02-15 14:07 . 2003-02-23 02:05 16,560 --a------ C:\WINDOWS\ISMIF16.dll
2008-02-15 14:07 . 2003-02-23 02:05 12,128 --a------ C:\WINDOWS\ISMIF32.dll
2008-02-15 14:05 . 2003-02-23 02:05 65,584 --a------ C:\WINDOWS\system32\SMSCfg.cpl
2008-02-15 13:58 . 2008-02-15 14:08 <DIR> d-------- C:\VNCTEMP
2008-02-14 10:00 . 2004-11-18 16:12 1,129,472 --a------ C:\WINDOWS\system32\msxml3.tmp
2008-02-14 10:00 . 2004-11-18 16:12 44,032 --a------ C:\WINDOWS\system32\msxml3r.tmp
2008-02-14 10:00 . 2004-11-18 16:12 24,576 --a------ C:\WINDOWS\system32\msxml3a.tmp
2008-02-14 09:02 . 2008-02-14 09:02 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\Stamps.com Internet Postage
2008-02-14 09:00 . 2008-02-14 09:02 36 --ah----- C:\WINDOWS\system32\f9t.dat
2008-02-08 15:25 . 2008-02-08 15:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 16:37 . 2008-02-22 17:34 3,898 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-07 15:29 . 2008-02-08 14:58 40,960 --a------ C:\WINDOWS\system32\hjjtgyg.exe
2008-02-07 15:29 . 2008-02-08 14:58 40,960 --a------ C:\WINDOWS\jfgurhjgfy.exe
2008-02-07 15:29 . 2008-02-22 15:15 20,480 --a------ C:\WINDOWS\quit.exe
2008-02-07 09:32 . 2008-02-20 17:20 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\SUPERAntiSpyware.com
2008-02-07 09:32 . 2008-02-07 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 12:36 . 2008-02-21 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\rp4
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\ps5
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\cz6
2008-02-06 10:58 . 2008-02-06 11:07 <DIR> d-------- C:\WINDOWS\system32\bm1
2008-02-06 10:52 . 2008-02-06 10:52 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 10:18 . 2008-01-28 10:18 7,303 --a------ C:\WINDOWS\saplogonold.ini
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Program Files\Common Files\ArchestrA
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ArchestrA
2008-01-25 09:28 . 2008-02-14 10:00 <DIR> d-------- C:\WINDOWS\system32\VPCache
2008-01-25 09:28 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\svcSMS\WINDOWS
2008-01-25 09:28 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\svcSMS\SapWorkDir
2008-01-25 09:28 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\svcSMS\Application Data\Intel
2008-01-25 09:28 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\svcSMS\Application Data\Citrix
2008-01-25 09:27 . 2003-02-23 02:05 10,176 --a------ C:\WINDOWS\system32\idisw2km.dll
2008-01-25 09:27 . 2003-02-23 02:05 7,744 --a------ C:\WINDOWS\system32\drivers\kbstuff5.sys
2008-01-25 09:27 . 2003-02-23 02:05 2,704 --a------ C:\WINDOWS\system32\drivers\idisw2km.sys
2008-01-25 09:25 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\WINDOWS
2008-01-25 09:25 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\SapWorkDir
2008-01-25 09:25 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\Application Data\Intel
2008-01-25 09:25 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\Application Data\Citrix
2008-01-25 09:24 . 2008-01-25 09:24 <DIR> d-------- C:\WINDOWS\system32\smsmsgs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 00:19 --------- d-----w C:\Program Files\Trend Micro
2008-02-23 00:18 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\U3
2008-01-31 22:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-17 16:52 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-01-17 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2008-01-17 16:51 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\eFax Messenger
2008-01-17 14:20 --------- d-----w C:\Program Files\Srs
2008-01-17 14:20 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-17 14:20 --------- d-----w C:\Program Files\Borland
2008-01-17 14:19 --------- d-----w C:\Program Files\JavaSoft
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\SAP Shared
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\ESRI
2008-01-17 13:12 --------- d-----w C:\Program Files\SAP
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\eFax Messenger
2008-01-16 22:16 --------- d-----w C:\Program Files\TechSmith
2008-01-16 21:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 21:44 --------- d-----w C:\Program Files\Wave Systems Corp
2006-12-29 20:15 626,688 ----a-w C:\Program Files\Common Files\sapconsaccess.dll
2006-12-29 20:15 40,960 ----a-w C:\Program Files\Common Files\DigitalSignature.ocx
2006-12-29 20:15 3,100,672 ----a-w C:\Program Files\Common Files\sapxlhelper.dll
2006-12-29 20:15 192,512 ----a-w C:\Program Files\Common Files\sapconsr3.dll
2006-12-07 15:26 1,129,984 ----a-w C:\Program Files\Common Files\SAPActiveXL.xlt
2006-12-07 15:26 1,124,864 ----a-w C:\Program Files\Common Files\SAPActiveXL_nosig.xlt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"internat"="internat.exe" []
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"mssdbsrv"="C:\WINDOWS\system32\msupdtck.exe" [2008-02-22 00:31 125440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"o2klang"="c:\windows\langver.exe" [2003-01-28 11:38 163435]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 07:00 143360]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 03:08 1347584]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 02:04 53248]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 13:33 155648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 08:58 1032192]
"Trend OfficeScan ImageSetup"="C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" [ ]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 19:55 335872]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 11:30 282624 C:\WINDOWS\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 17:38 28160 C:\WINDOWS\KHALMNPR.Exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SMS Application Launcher"="C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE" [2003-02-23 02:05 73584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2008-01-31 17:08:49 25214]
Cisco Systems VPN Client.lnk - C:\Program Files\cisco systems\vpn client\vpngui.exe [2006-10-25 12:27:25 1445904]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2004-10-12 20:33:08 213264]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=c:\winnt\system32\setadmin.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\0\0]
"Script"=folder_redirect.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\1\0]
"Script"=us.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 20:58:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Citrix\ICA Client\pnsson.dll
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\system32\msvcrit.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\program files\cisco systems\vpn client\cvpnd.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\TEMP\BKE51F.EXE
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Distillr\AcroDist.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
.
**************************************************************************
.
Completion time: 2008-02-24 21:01:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 02:00:55
mcguiret
2008-02-25, 03:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04, on 2008-02-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\program files\cisco systems\vpn client\cvpnd.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\TEMP\BKE51F.EXE
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\msupdtck.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\frtghef.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.timet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://denprx1.timet.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.timet.com;10.*.*.*;192.168.*.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [o2klang] c:\windows\langver.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" "/0015c51fa28d" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [internat] internat.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [mssdbsrv] C:\WINDOWS\system32\msupdtck.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\RunOnce: [RunOnce] c:\windows\oem\runonce.bat (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-725345543-44281\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\cisco systems\vpn client\vpngui.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://den2khri1:100/codebase/svinstall_a_stat.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1) - http://den2khri1:100/codebase/j2re-1_3_1-win.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.timet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.timet.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\program files\cisco systems\vpn client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10250 bytes
mcguiret
2008-02-25, 03:08
Access Manager
ActiveFactory Shared Components
Adobe Acrobat 7.0 Standard
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
ADP Enterprise Tools
ALPS Touch Pad Driver
Autolink
Conexant HDA D110 MDC V.92 Modem
Dell ResourceCD
Dell Wireless WLAN Card
eFax Messenger 4.3
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Java 2 Runtime Environment, SE v1.4.2_06
JavaSoft
Kaspersky Online Scanner
MetaFrame Presentation Server Client
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office 2000 SR-1 MultiLanguage Pack Disc 1
Microsoft Office 2000 SR-1 Standard
Microsoft Office Outlook 2003
Microsoft redistributable runtime DLLs VS2005 SP1(x86)
Microsoft redistributable runtime DLLs VS2005(x86)
OZ776 SCR CardBus Windows Driver
PowerDVD 5.1
QuickSet
Rapid Pay Data Entry
Reportsmith 3.10
SAP GUI 7.10
SigmaTel Audio
SnagIt 5
Spybot - Search & Destroy
Spyware Doctor 4.0
SUPERAntiSpyware Free Edition
Trend Micro OfficeScan Client
VPN Client
Windows Installer 3.1 (KB893803)
I'm afraid I have unpleasant news for you. You have evidence of a Very Dangerous infection on this machine.
It is a Password Stealer
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine,
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.
I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection :(
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\WINDOWS\system32\msvcrit.dll
Click Submit/Send File
Please post back, to let me know the results.
Please do the same for the following file
c:\winnt\system32\setadmin.exe
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
SD Fix
Please download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
FileLook::
c:\winnt\system32\setadmin.exe
DirLook::
C:\WINDOWS\system32\rp4
C:\WINDOWS\system32\ps5
C:\WINDOWS\system32\cz6
C:\WINDOWS\system32\bm1
File::
C:\WINDOWS\system32\rfhdfhw.exe
C:\WINDOWS\frtghef.exe
C:\WINDOWS\system32\msupdtck.exe
C:\Documents and Settings\tmcguire\p4ck.exe
C:\WINDOWS\system32\hjjtgyg.exe
C:\WINDOWS\jfgurhjgfy.exe
C:\WINDOWS\quit.exe
Registry::
[[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat"=-
"mssdbsrv"=-
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Please post all the logs in reply
mcguiret
2008-02-25, 18:09
File msvcrit.dll received on 02.25.2008 15:09:07 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 5/32 (15.63%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 50 and 72 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.25 -
Authentium 4.93.8 2008.02.24 -
Avast 4.7.1098.0 2008.02.24 -
AVG 7.5.0.516 2008.02.25 -
BitDefender 7.2 2008.02.25 Trojan.PWS.Agent.RZO@m
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.25 -
DrWeb 4.44.0.09170 2008.02.25 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5562 2008.02.25 -
Ewido 4.0 2008.02.25 -
FileAdvisor 1 2008.02.25 -
Fortinet 3.14.0.0 2008.02.25 -
F-Prot 4.4.2.54 2008.02.24 -
F-Secure 6.70.13260.0 2008.02.25 -
Ikarus T3.1.1.20 2008.02.25 -
Kaspersky 7.0.0.125 2008.02.25 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.25 -
NOD32v2 2899 2008.02.25 -
Norman 5.80.02 2008.02.25 -
Panda 9.0.0.4 2008.02.25 Suspicious file
Prevx1 V2 2008.02.25 Generic.Malware
Rising 20.33.02.00 2008.02.25 -
Sophos 4.26.0 2008.02.25 -
Sunbelt 3.0.893.0 2008.02.23 Trojan-PWS.Agent.RZO@m
Symantec 10 2008.02.25 Hacktool.Rootkit
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.24 -
Webwasher-Gateway 6.6.2 2008.02.25 -
Additional information
File size: 6144 bytes
MD5: d189eb6ea54de20e620c2b91b191dcd2
SHA1: 0dd05848a270caec09270b1b037723898e92c520
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AD01B26D004AB95C18FF00EC73DE33004F4D99A2
File SETADMIN.EXE received on 02.25.2008 15:33:35 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.25 -
Authentium 4.93.8 2008.02.24 -
Avast 4.7.1098.0 2008.02.24 -
AVG 7.5.0.516 2008.02.25 -
BitDefender 7.2 2008.02.25 -
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.25 -
DrWeb 4.44.0.09170 2008.02.25 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5562 2008.02.25 -
Ewido 4.0 2008.02.25 -
FileAdvisor 1 2008.02.25 -
Fortinet 3.14.0.0 2008.02.25 -
F-Prot 4.4.2.54 2008.02.24 -
F-Secure 6.70.13260.0 2008.02.25 -
Ikarus T3.1.1.20 2008.02.25 -
Kaspersky 7.0.0.125 2008.02.25 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.25 -
NOD32v2 2899 2008.02.25 -
Norman 5.80.02 2008.02.25 -
Panda 9.0.0.4 2008.02.25 -
Prevx1 V2 2008.02.25 -
Rising 20.33.02.00 2008.02.25 -
Sophos 4.26.0 2008.02.25 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.25 -
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.24 -
Webwasher-Gateway 6.6.2 2008.02.25 -
Additional information
File size: 28672 bytes
MD5: 32fddbfb5d653a4085a952d2e28a4d47
SHA1: d4e20bb5ee39e252e03ce4c65eb9e3ae1d085bd9
PEiD: -
mcguiret
2008-02-25, 23:11
SDFix: Version 1.146
Run by tmcguire on 02/25/2008 at 05:03 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
<<END OF SDFix Report.txt>> that's all that was in the report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:38 PM, on 02/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\program files\cisco systems\vpn client\cvpnd.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\TEMP\ZK4403.EXE
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\WINDOWS\system32\msupdtck.exe
C:\Program Files\Adobe\Distillr\AcroDist.exe
C:\Program Files\Adobe\Acrobat\acrobat_sl.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.timet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TIMET usnpx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://denprx1.timet.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.timet.com;10.*.*.*;192.168.*.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [o2klang] c:\windows\langver.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" "/0015c51fa28d" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [internat] internat.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [mssdbsrv] C:\WINDOWS\system32\msupdtck.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\RunOnce: [RunOnce] c:\windows\oem\runonce.bat (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-725345543-44281\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\cisco systems\vpn client\vpngui.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://den2khri1:100/codebase/svinstall_a_stat.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1) - http://den2khri1:100/codebase/j2re-1_3_1-win.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.timet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.timet.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\program files\cisco systems\vpn client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10663 bytes
mcguiret
2008-02-25, 23:21
ComboFix 08-02-25.2 - tmcguire 2008-02-25 17:15:01.2 - NTFSx86
Running from: C:\Documents and Settings\tmcguire\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tmcguire\Desktop\CFScript.txt
FILE ::
C:\Documents and Settings\tmcguire\p4ck.exe
C:\WINDOWS\frtghef.exe
C:\WINDOWS\jfgurhjgfy.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\hjjtgyg.exe
C:\WINDOWS\system32\msupdtck.exe
C:\WINDOWS\system32\rfhdfhw.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\tmcguire\p4ck.exe
C:\WINDOWS\frtghef.exe
C:\WINDOWS\jfgurhjgfy.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\hjjtgyg.exe
C:\WINDOWS\system32\msupdtck.exe
C:\WINDOWS\system32\rfhdfhw.exe
.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.
2008-02-25 17:01 . 2008-02-25 17:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-25 13:35 . 2008-02-25 13:35 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-02-25 12:10 . 2008-02-25 17:04 <DIR> d-------- C:\SDFix
2008-02-22 18:20 . 2008-02-22 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 17:34 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-22 17:34 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-22 17:34 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-22 17:34 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-22 17:34 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-22 17:34 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-22 17:34 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-22 00:31 . 2008-02-22 00:31 6,144 --a------ C:\Documents and Settings\tmcguire\Application Data\msvcrit.dll
2008-02-22 00:30 . 2008-02-25 17:06 6,144 --a------ C:\WINDOWS\system32\msvcrit.dll
2008-02-21 23:50 . 2008-02-21 23:50 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-21 14:23 . 2008-02-21 14:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 14:16 . 2008-02-22 17:26 165 --a------ C:\WINDOWS\wininit.ini
2008-02-20 17:20 . 2008-02-22 16:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-20 17:19 . 2008-02-20 17:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 08:15 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-15 15:44 . 2008-02-15 15:44 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\PC Tools
2008-02-15 15:05 . 2008-02-14 21:24 610 --a------ C:\WINDOWS\wininit.sd
2008-02-15 15:05 . 2006-10-25 02:51 573 --a------ C:\WINDOWS\win.tmp
2008-02-15 15:05 . 2008-02-24 20:58 227 --a------ C:\WINDOWS\system.tmp
2008-02-15 14:46 . 2008-02-19 08:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-15 14:46 . 2008-02-25 17:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 14:46 . 2008-02-15 14:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-02-15 14:46 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-02-15 14:46 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-02-15 14:31 . 2008-02-15 14:42 <DIR> d-------- C:\TEMP\smitRem
2008-02-15 14:14 . 2008-02-15 14:14 <DIR> d-------- C:\Program Files\SwiftView
2008-02-15 14:13 . 2008-02-15 14:14 <DIR> d-------- C:\JavaSoft
2008-02-15 14:09 . 2003-02-23 02:05 60,448 --a------ C:\WINDOWS\system32\smsrc.cpl
2008-02-15 14:08 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\WINDOWS
2008-02-15 14:08 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\SapWorkDir
2008-02-15 14:08 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Intel
2008-02-15 14:08 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Citrix
2008-02-15 14:08 . 2003-02-23 02:05 38,944 --a------ C:\WINDOWS\system32\SMSCPL32.cpl
2008-02-15 14:07 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\WINDOWS
2008-02-15 14:07 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\SapWorkDir
2008-02-15 14:07 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Intel
2008-02-15 14:07 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Citrix
2008-02-15 14:07 . 2003-02-23 02:05 16,560 --a------ C:\WINDOWS\ISMIF16.dll
2008-02-15 14:07 . 2003-02-23 02:05 12,128 --a------ C:\WINDOWS\ISMIF32.dll
2008-02-15 14:05 . 2003-02-23 02:05 65,584 --a------ C:\WINDOWS\system32\SMSCfg.cpl
2008-02-15 13:58 . 2008-02-15 14:08 <DIR> d-------- C:\VNCTEMP
2008-02-14 10:00 . 2004-11-18 16:12 1,129,472 --a------ C:\WINDOWS\system32\msxml3.tmp
2008-02-14 10:00 . 2004-11-18 16:12 44,032 --a------ C:\WINDOWS\system32\msxml3r.tmp
2008-02-14 10:00 . 2004-11-18 16:12 24,576 --a------ C:\WINDOWS\system32\msxml3a.tmp
2008-02-14 09:02 . 2008-02-14 09:02 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\Stamps.com Internet Postage
2008-02-14 09:00 . 2008-02-14 09:02 36 --ah----- C:\WINDOWS\system32\f9t.dat
2008-02-08 15:25 . 2008-02-08 15:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 16:37 . 2008-02-22 17:34 3,898 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-07 09:32 . 2008-02-20 17:20 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\SUPERAntiSpyware.com
2008-02-07 09:32 . 2008-02-07 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 12:36 . 2008-02-21 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\rp4
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\ps5
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\cz6
2008-02-06 10:58 . 2008-02-06 11:07 <DIR> d-------- C:\WINDOWS\system32\bm1
2008-02-06 10:52 . 2008-02-06 10:52 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 10:18 . 2008-01-28 10:18 7,303 --a------ C:\WINDOWS\saplogonold.ini
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Program Files\Common Files\ArchestrA
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ArchestrA
2008-01-25 09:28 . 2008-02-14 10:00 <DIR> d-------- C:\WINDOWS\system32\VPCache
2008-01-25 09:28 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\svcSMS\WINDOWS
2008-01-25 09:28 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\svcSMS\SapWorkDir
2008-01-25 09:28 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\svcSMS\Application Data\Intel
2008-01-25 09:28 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\svcSMS\Application Data\Citrix
2008-01-25 09:27 . 2003-02-23 02:05 10,176 --a------ C:\WINDOWS\system32\idisw2km.dll
2008-01-25 09:27 . 2003-02-23 02:05 7,744 --a------ C:\WINDOWS\system32\drivers\kbstuff5.sys
2008-01-25 09:27 . 2003-02-23 02:05 2,704 --a------ C:\WINDOWS\system32\drivers\idisw2km.sys
2008-01-25 09:25 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\WINDOWS
2008-01-25 09:25 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\SapWorkDir
2008-01-25 09:25 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\Application Data\Intel
2008-01-25 09:25 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\Application Data\Citrix
2008-01-25 09:24 . 2008-01-25 09:24 <DIR> d-------- C:\WINDOWS\system32\smsmsgs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 18:36 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\U3
2008-02-23 00:19 --------- d-----w C:\Program Files\Trend Micro
2008-01-31 22:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-17 16:52 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-01-17 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2008-01-17 16:51 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\eFax Messenger
2008-01-17 14:20 --------- d-----w C:\Program Files\Srs
2008-01-17 14:20 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-17 14:20 --------- d-----w C:\Program Files\Borland
2008-01-17 14:19 --------- d-----w C:\Program Files\JavaSoft
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\SAP Shared
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\ESRI
2008-01-17 13:12 --------- d-----w C:\Program Files\SAP
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\eFax Messenger
2008-01-16 22:16 --------- d-----w C:\Program Files\TechSmith
2008-01-16 21:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 21:44 --------- d-----w C:\Program Files\Wave Systems Corp
2006-12-29 20:15 626,688 ----a-w C:\Program Files\Common Files\sapconsaccess.dll
2006-12-29 20:15 40,960 ----a-w C:\Program Files\Common Files\DigitalSignature.ocx
2006-12-29 20:15 3,100,672 ----a-w C:\Program Files\Common Files\sapxlhelper.dll
2006-12-29 20:15 192,512 ----a-w C:\Program Files\Common Files\sapconsr3.dll
2006-12-07 15:26 1,129,984 ----a-w C:\Program Files\Common Files\SAPActiveXL.xlt
2006-12-07 15:26 1,124,864 ----a-w C:\Program Files\Common Files\SAPActiveXL_nosig.xlt
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
- Invalid filepath
---- Directory of C:\WINDOWS\system32\bm1 ----
---- Directory of C:\WINDOWS\system32\cz6 ----
---- Directory of C:\WINDOWS\system32\ps5 ----
2008-01-05 16:48 126976 --a------ C:\WINDOWS\system32\ps5\advcomms3.exe
---- Directory of C:\WINDOWS\system32\rp4 ----
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"internat"="internat.exe" []
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"mssdbsrv"="C:\WINDOWS\system32\msupdtck.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"o2klang"="c:\windows\langver.exe" [2003-01-28 11:38 163435]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 07:00 143360]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 03:08 1347584]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 02:04 53248]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 13:33 155648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 08:58 1032192]
"Trend OfficeScan ImageSetup"="C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" [ ]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 19:55 335872]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 11:30 282624 C:\WINDOWS\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 17:38 28160 C:\WINDOWS\KHALMNPR.Exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SMS Application Launcher"="C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE" [2003-02-23 02:05 73584]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2008-01-31 17:08:49 25214]
Cisco Systems VPN Client.lnk - C:\Program Files\cisco systems\vpn client\vpngui.exe [2006-10-25 12:27:25 1445904]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2004-10-12 20:33:08 213264]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=c:\winnt\system32\setadmin.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\0\0]
"Script"=folder_redirect.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\1\0]
"Script"=us.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 17:18:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Citrix\ICA Client\pnsson.dll
.
Completion time: 2008-02-25 17:19:53
ComboFix-quarantined-files.txt 2008-02-25 22:19:48
mcguiret
2008-02-26, 15:09
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-26 09:05
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/02/2008
Kaspersky Anti-Virus database records: 581221
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 48868
Number of viruses found: 8
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 01:15:00
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output\tmcguire\~Running.ping Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-402ffcaf.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-402ffcaf.zip ZIP: infected - 1 skipped
C:\Documents and Settings\tmcguire\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tmcguire\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\tmcguire\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Remote Services\WENGINE\dbgtrace.log Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20080225.log Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\tmcguire\p4ck.exe.vir Infected: Trojan.Win32.Agent.fxi skipped
C:\QooBox\Quarantine\catchme2008-02-24_205814.92.zip/tosdvdd.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-02-24_205814.92.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000069.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000279.exe Infected: Trojan.Win32.Agent.fxi skipped
C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP2\change.log Object is locked skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-47a712ef.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-47a712ef.zip ZIP: infected - 1 skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-4de34aa1.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-4de34aa1.zip ZIP: infected - 1 skipped
C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\nsr1A.tmp/mobjchku.exe Infected: not-a-virus:AdWare.Win32.BHO.xv skipped
C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\nsr1A.tmp ZIP: infected - 1 skipped
C:\TEMP\oldprofile\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\6LAT0HKZ\wavvsnet[1].exe Infected: Trojan-Downloader.Win32.Small.hcu skipped
C:\VNCTEMP\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_b30.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
C:\WINDOWS\system32\msvcrit.dll
C:\WINDOWS\wininit.ini
C:\Documents and Settings\tmcguire\Application Data\msvcrit.dll
C:\Documents and Settings\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-402ffcaf.zip
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-47a712ef.zip
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-4de34aa1.zip
C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\nsr1A.tmp
C:\TEMP\oldprofile\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\6LAT0HKZ\wavvsnet[1].exe
Folder::
C:\WINDOWS\system32\bm1
C:\WINDOWS\system32\cz6
C:\WINDOWS\system32\ps5
C:\WINDOWS\system32\ps5
C:\WINDOWS\system32\rp4
Driver::
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat"=-
"mssdbsrv"=-
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan (http://www.nanoscan.com/as/v1/?) << LINK
Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.
mcguiret
2008-02-27, 16:23
ComboFix 08-02-25.2 - tmcguire 2008-02-27 9:31:24.3 - NTFSx86
Running from: C:\Documents and Settings\tmcguire\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tmcguire\Desktop\CFScript.txt
FILE ::
C:\Documents and Settings\tmcguire\Application Data\msvcrit.dll
C:\Documents and Settings\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-402ffcaf.zip
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-47a712ef.zip
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-4de34aa1.zip
C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\nsr1A.tmp
C:\TEMP\oldprofile\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\6LAT0HKZ\wavvsnet[1].exe
C:\WINDOWS\system32\msvcrit.dll
C:\WINDOWS\wininit.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\tmcguire\Application Data\msvcrit.dll
C:\Documents and Settings\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-402ffcaf.zip
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-47a712ef.zip
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-4de34aa1.zip
C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\nsr1A.tmp
C:\TEMP\oldprofile\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\6LAT0HKZ\wavvsnet[1].exe
C:\WINDOWS\system32\bm1
C:\WINDOWS\system32\cz6
C:\WINDOWS\system32\msvcrit.dll
C:\WINDOWS\system32\ps5
C:\WINDOWS\system32\ps5\advcomms3.exe
C:\WINDOWS\system32\rp4
C:\WINDOWS\wininit.ini
.
((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.
2008-02-26 13:10 . 2008-02-26 13:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-25 23:03 . 2008-02-26 14:20 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-25 17:01 . 2008-02-25 17:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-25 13:35 . 2008-02-25 13:35 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-02-25 12:10 . 2008-02-25 17:04 <DIR> d-------- C:\SDFix
2008-02-22 18:20 . 2008-02-22 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 17:34 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-22 17:34 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-22 17:34 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-22 17:34 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-22 17:34 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-22 17:34 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-22 17:34 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-21 23:50 . 2008-02-21 23:50 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-21 14:23 . 2008-02-21 14:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-20 17:20 . 2008-02-22 16:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-20 17:19 . 2008-02-20 17:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 08:15 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-15 15:44 . 2008-02-15 15:44 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\PC Tools
2008-02-15 15:05 . 2008-02-14 21:24 610 --a------ C:\WINDOWS\wininit.sd
2008-02-15 15:05 . 2006-10-25 02:51 573 --a------ C:\WINDOWS\win.tmp
2008-02-15 15:05 . 2008-02-25 17:18 227 --a------ C:\WINDOWS\system.tmp
2008-02-15 14:46 . 2008-02-19 08:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-15 14:46 . 2008-02-27 08:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 14:46 . 2008-02-15 14:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-02-15 14:46 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-02-15 14:46 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-02-15 14:31 . 2008-02-15 14:42 <DIR> d-------- C:\TEMP\smitRem
2008-02-15 14:14 . 2008-02-15 14:14 <DIR> d-------- C:\Program Files\SwiftView
2008-02-15 14:13 . 2008-02-15 14:14 <DIR> d-------- C:\JavaSoft
2008-02-15 14:09 . 2003-02-23 02:05 60,448 --a------ C:\WINDOWS\system32\smsrc.cpl
2008-02-15 14:08 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\WINDOWS
2008-02-15 14:08 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\SapWorkDir
2008-02-15 14:08 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Intel
2008-02-15 14:08 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Citrix
2008-02-15 14:08 . 2003-02-23 02:05 38,944 --a------ C:\WINDOWS\system32\SMSCPL32.cpl
2008-02-15 14:07 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\WINDOWS
2008-02-15 14:07 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\SapWorkDir
2008-02-15 14:07 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Intel
2008-02-15 14:07 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Citrix
2008-02-15 14:07 . 2003-02-23 02:05 16,560 --a------ C:\WINDOWS\ISMIF16.dll
2008-02-15 14:07 . 2003-02-23 02:05 12,128 --a------ C:\WINDOWS\ISMIF32.dll
2008-02-15 14:05 . 2003-02-23 02:05 65,584 --a------ C:\WINDOWS\system32\SMSCfg.cpl
2008-02-15 13:58 . 2008-02-15 14:08 <DIR> d-------- C:\VNCTEMP
2008-02-14 10:00 . 2004-11-18 16:12 1,129,472 --a------ C:\WINDOWS\system32\msxml3.tmp
2008-02-14 10:00 . 2004-11-18 16:12 44,032 --a------ C:\WINDOWS\system32\msxml3r.tmp
2008-02-14 10:00 . 2004-11-18 16:12 24,576 --a------ C:\WINDOWS\system32\msxml3a.tmp
2008-02-14 09:02 . 2008-02-14 09:02 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\Stamps.com Internet Postage
2008-02-14 09:00 . 2008-02-14 09:02 36 --ah----- C:\WINDOWS\system32\f9t.dat
2008-02-08 15:25 . 2008-02-08 15:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 16:37 . 2008-02-22 17:34 3,898 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-07 09:32 . 2008-02-20 17:20 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\SUPERAntiSpyware.com
2008-02-07 09:32 . 2008-02-07 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 12:36 . 2008-02-21 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 10:52 . 2008-02-06 10:52 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 10:18 . 2008-01-28 10:18 7,303 --a------ C:\WINDOWS\saplogonold.ini
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Program Files\Common Files\ArchestrA
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ArchestrA
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 18:12 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\U3
2008-02-23 00:19 --------- d-----w C:\Program Files\Trend Micro
2008-01-31 22:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-17 16:52 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-01-17 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2008-01-17 16:51 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\eFax Messenger
2008-01-17 14:20 --------- d-----w C:\Program Files\Srs
2008-01-17 14:20 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-17 14:20 --------- d-----w C:\Program Files\Borland
2008-01-17 14:19 --------- d-----w C:\Program Files\JavaSoft
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\SAP Shared
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\ESRI
2008-01-17 13:12 --------- d-----w C:\Program Files\SAP
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\eFax Messenger
2008-01-16 22:16 --------- d-----w C:\Program Files\TechSmith
2008-01-16 21:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 21:44 --------- d-----w C:\Program Files\Wave Systems Corp
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2006-12-29 20:15 626,688 ----a-w C:\Program Files\Common Files\sapconsaccess.dll
2006-12-29 20:15 40,960 ----a-w C:\Program Files\Common Files\DigitalSignature.ocx
2006-12-29 20:15 3,100,672 ----a-w C:\Program Files\Common Files\sapxlhelper.dll
2006-12-29 20:15 192,512 ----a-w C:\Program Files\Common Files\sapconsr3.dll
2006-12-07 15:26 1,129,984 ----a-w C:\Program Files\Common Files\SAPActiveXL.xlt
2006-12-07 15:26 1,124,864 ----a-w C:\Program Files\Common Files\SAPActiveXL_nosig.xlt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"o2klang"="c:\windows\langver.exe" [2003-01-28 11:38 163435]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 07:00 143360]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 03:08 1347584]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 02:04 53248]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 13:33 155648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 08:58 1032192]
"Trend OfficeScan ImageSetup"="C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" [ ]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 19:55 335872]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 11:30 282624 C:\WINDOWS\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 17:38 28160 C:\WINDOWS\KHALMNPR.Exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SMS Application Launcher"="C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE" [2003-02-23 02:05 73584]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2008-01-31 17:08:49 25214]
Cisco Systems VPN Client.lnk - C:\Program Files\cisco systems\vpn client\vpngui.exe [2006-10-25 12:27:25 1445904]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2004-10-12 20:33:08 213264]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=c:\winnt\system32\setadmin.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\0\0]
"Script"=folder_redirect.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\1\0]
"Script"=us.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 09:33:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Citrix\ICA Client\pnsson.dll
.
Completion time: 2008-02-27 9:34:25
ComboFix-quarantined-files.txt 2008-02-27 14:34:22
ComboFix2.txt 2008-02-25 22:19:55
.
2008-02-26 23:46:53 --- E O F ---
mcguiret
2008-02-27, 16:24
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-02-27 10:22:16
PROTECTIONS: 1
MALWARE: 13
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Trend Officescan Corporate Edition 7.0 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\TEMP\smitRem\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000068.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\tmcguire\Desktop\SDFix.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\Cookies\tmcguire@com[1].txt
00167726 Cookie/Tickle TrackingCookie No 0 Yes No C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\Cookies\tmcguire@tickle[1].txt
00168108 Cookie/Tickle TrackingCookie No 0 Yes No C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\Cookies\tmcguire@web.tickle[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\tmcguire\Cookies\tmcguire@searchportal.information[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\tmcguire\Cookies\tmcguire@target[2].txt
00517584 Application/SuperFast HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000070.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000034.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000054.EXE
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000037.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\tmcguire\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\tmcguire\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000021.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP4\A0001237.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP4\A0001208.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000259.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000273.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000305.com
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000069.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000047.sys
02887379 Trj/Agent.HLS Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\C\TEMP\oldprofile\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\6LAT0HKZ\wavvsnet[1].exe.vir
02903181 Trj/Agent.IDR Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\Documents and Settings\tmcguire\Application Data\msvcrit.dll.vir
02903181 Trj/Agent.IDR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP4\A0001216.dll
02903181 Trj/Agent.IDR Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\msvcrit.dll.vir
02903181 Trj/Agent.IDR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000055.dll
02903181 Trj/Agent.IDR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP4\A0001215.dll
02903181 Trj/Agent.IDR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000232.dll
02903181 Trj/Agent.IDR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A99B2E5C-29C8-4BA9-A09B-2D03C5AF17F3}\RP1\A0000100.dll
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u4
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) 6 update 4 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Java 2 Runtime Environment, SE v1.4.2_06
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Congratulations your logs look clean
Let's see if I can help you keep it that way
First lets tidy up
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You can also delete any logs we have produced, and empty your Recycle bin.
The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.nanoscan.com
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
AVG Anti-Spyware 7.5 (http://www.ewido.net/en/) <<< A good "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 3.5.1 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/content/view/15/33/) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/content/view/19/2/) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.......So How Did I Get Infected In The First Place (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
mcguiret
2008-02-27, 18:37
Thank you SO much for all your help!
I ran a final scan with Spybot S&D and nothing was detected!
Your service is invaluable. Thank you again.