View Full Version : Help! Yet another Virtumonde victim
jodeson06
2008-04-18, 19:17
You must be so sick of seeing these, but here's my info
Here's the HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:32 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Jones\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM1f09cefa] Rundll32.exe "C:\WINDOWS\system32\uermuvec.dll",s
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\WINDOWS\TEMP\E_S1F9.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181345901858
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
--
End of file - 6204 bytes
And here's my Kaspersky Log Report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 18, 2008 12:46:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/04/2008
Kaspersky Anti-Virus database records: 714084
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 56959
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:35:47
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_FRANKENSTIEN.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_FRANKENSTIEN.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Jones\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jones\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Jones\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\history.dat Object is locked skipped
C:\Documents and Settings\Jones\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\key3.db Object is locked skipped
C:\Documents and Settings\Jones\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jones\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jones\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jones\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jones\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jones\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jones\Local Settings\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jones\Local Settings\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jones\Local Settings\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jones\Local Settings\Application Data\Mozilla\Firefox\Profiles\butp8jum.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jones\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jones\Local Settings\Temp\NAILogs\UpdaterUI_FRANKENSTIEN.log Object is locked skipped
C:\Documents and Settings\Jones\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jones\My Documents\Downloads\Age_Of_Conan_PvP_Beta\ACHA_GS.part1.exe Object is locked skipped
C:\Documents and Settings\Jones\My Documents\Downloads\Age_Of_Conan_PvP_Beta\ACHA_GS.part2.rar Object is locked skipped
C:\Documents and Settings\Jones\My Documents\Downloads\Age_Of_Conan_PvP_Beta\ACHA_GS.part3.rar Object is locked skipped
C:\Documents and Settings\Jones\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jones\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{462C2435-7122-4F22-8EEF-22F47F0C8CEA}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\WxaHRqss.ini Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2008-04-18, 23:16
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must be so sick of seeing these, but here's my info
I am more sick of how long it is taking the courts to throw the lowlifes behind the infection in jail.
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
You can see the KOS is showing nothing, and the hackers hide their junk from HJT. Let's take two steps at once, like this:
1) To get HJT safely off of the Desktop, follow these directions.
Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
(wait until you finish all directions to post a new log)
Navigate to that folder and rename HJT.exe, call it jodeson06.exe, that will work. After a restart we may see the infection.
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
jodeson06
2008-04-19, 01:28
Thank you so much for your time and assistance! Is there anything that I can do to help fight malware?
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:03 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\jodeson06.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E5D1AD7-BD0B-4CCA-89B8-6D771603081C} - C:\WINDOWS\system32\tuvWoOIA.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {635AEAFB-B8A4-4DB4-894D-0E1071CC38CD} - C:\WINDOWS\system32\nnnnNhiG.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8EC6A457-42EF-4BE1-8485-65B60CB306EA} - C:\WINDOWS\system32\rqRLeeDw.dll (file missing)
O2 - BHO: (no name) - {C6176705-5960-4AB9-AA44-DC7CB344AA4F} - C:\WINDOWS\system32\ssqRHaxW.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\WINDOWS\TEMP\E_S1F9.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181345901858
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
--
End of file - 7033 bytes
and here is my combofix log:
ComboFix 08-04-17.1 - Jones 2008-04-18 19:20:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT -4:00]
Running from: C:\Documents and Settings\Jones\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.
2008-04-18 18:52 . 2008-04-18 18:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-18 10:39 . 2008-04-18 10:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 10:39 . 2008-04-18 10:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 10:38 . 2008-04-18 17:35 1,540,617 --ahs---- C:\WINDOWS\system32\hottvcxb.ini
2008-04-18 10:38 . 2008-04-18 10:38 87,616 --------- C:\WINDOWS\system32\bxcvttoh.dll_old
2008-04-18 10:33 . 2008-04-18 12:55 107,183 --a------ C:\WINDOWS\BM1f09cefa.xml
2008-04-18 10:32 . 2008-04-18 10:32 274,432 --a------ C:\WINDOWS\system32\ssqRHaxW.dll_old
2008-04-18 08:54 . 2008-04-18 08:54 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-04-18 01:20 . 2008-04-18 01:20 <DIR> d-------- C:\Program Files\GameSpot
2008-04-18 01:20 . 2008-04-18 01:20 <DIR> d-------- C:\Documents and Settings\All Users\temp
2008-04-18 01:20 . 2008-04-18 01:20 <DIR> d-------- C:\Documents and Settings\All Users\Gamespot
2008-04-17 23:00 . 2008-04-18 00:04 <DIR> d-------- C:\VundoFix Backups
2008-04-17 21:12 . 2008-04-17 21:12 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-17 21:12 . 2008-04-17 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-17 17:21 . 2008-04-18 17:36 1,308 --a------ C:\WINDOWS\wininit.ini
2008-04-17 17:01 . 2008-04-17 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-09 13:54 . 2008-04-09 13:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-09 13:54 . 2008-04-09 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 13:52 . 2008-04-09 13:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-09 13:52 . 2008-04-09 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 23:33 . 2008-04-04 23:33 <DIR> d-------- C:\Program Files\iPod
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-24 14:33 . 2008-03-25 17:15 <DIR> d-------- C:\Program Files\Lineage II
2008-03-19 21:29 . 2008-03-19 21:29 <DIR> d-------- C:\Chat
2008-03-19 21:01 . 2008-03-19 21:01 <DIR> d-------- C:\Program Files\Funcom
2008-03-18 10:06 . 2008-03-18 10:06 <DIR> d-------- C:\Documents and Settings\Jones\Application Data\ATI
2008-03-18 10:06 . 2008-03-18 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-03-18 10:01 . 2008-03-18 10:03 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-18 09:45 . 2008-03-18 09:45 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-03-18 09:45 . 2008-03-18 09:45 <DIR> d-------- C:\Documents and Settings\Jones\Application Data\SystemRequirementsLab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 23:03 --------- d-----w C:\Documents and Settings\Jones\Application Data\uTorrent
2008-04-18 05:20 5,917 ----a-w C:\Program Files\install.log
2008-04-18 01:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 01:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 14:04 --------- d-----w C:\Program Files\Java
2008-04-09 17:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 03:33 --------- d-----w C:\Program Files\iTunes
2008-04-05 03:32 --------- d-----w C:\Program Files\QuickTime
2008-04-04 23:39 --------- d-----w C:\Documents and Settings\Jones\Application Data\OpenOffice.org2
2008-03-19 15:28 --------- d-----w C:\Program Files\PBEMEmailer
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 19:35 --------- d-----w C:\Documents and Settings\Jones\Application Data\Leadertech
2008-03-14 19:31 --------- d-----w C:\Program Files\epson
2008-03-14 19:29 --------- d-----w C:\Program Files\ArcSoft
2008-03-14 19:27 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-03-14 19:27 --------- d-----w C:\Documents and Settings\Jones\Application Data\ArcSoft
2008-03-14 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-08 03:56 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-03-04 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ironclad Games
2008-03-04 18:05 --------- d-----w C:\Program Files\Stardock
2008-02-27 23:23 --------- d-----w C:\Program Files\Saitek
2008-02-27 17:37 8,864 ----a-w C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2008-02-27 17:37 39,936 ----a-w C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2008-02-27 17:27 --------- d-----w C:\Program Files\Smart Projects
2008-02-27 17:17 --------- d-----w C:\Program Files\Microsoft Games
2008-02-27 17:07 --------- d-----w C:\Program Files\directx
2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-02-26 03:10 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-02-26 03:02 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-02-26 03:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-02-26 02:59 9,797,632 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-02-26 02:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-02-26 02:29 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-02-26 02:23 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-02-26 02:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-02-26 02:21 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-02-26 01:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2008-02-20 17:48 --------- d-----w C:\Program Files\THQ
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E5D1AD7-BD0B-4CCA-89B8-6D771603081C}]
C:\WINDOWS\system32\tuvWoOIA.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{635AEAFB-B8A4-4DB4-894D-0E1071CC38CD}]
C:\WINDOWS\system32\nnnnNhiG.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EC6A457-42EF-4BE1-8485-65B60CB306EA}]
C:\WINDOWS\system32\rqRLeeDw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6176705-5960-4AB9-AA44-DC7CB344AA4F}]
C:\WINDOWS\system32\ssqRHaxW.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"EPSON Stylus CX7400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.exe" [2007-02-15 06:00 179200]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 04:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-09-23 19:04 2494464]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 17:12 32768]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 09:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 04:55 131072]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 10:48 147514]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 15:34 163840]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 12:09 126976]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Games\\Mechwarrior Mercenaries\\MW4MERCS.ICD"=
"C:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\mw4x\\MW4x.exe"=
"C:\\Program Files\\Stardock\\TotalGaming\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 NvNdis;NVIDIA NDIS IO Control Driver;C:\WINDOWS\system32\Drivers\NvNdis.sys [2004-12-13 09:44]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2003-09-02 06:22]
S3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-03-20 11:49]
S3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 11:49]
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys [2003-09-19 16:00]
S3 SaiH075C;SaiH075C;C:\WINDOWS\system32\DRIVERS\SaiH075C.sys [2006-07-27 07:49]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
\Shell\log\command - D:\goodies\machine\machine.exe -l
\Shell\machine\command - D:\goodies\machine\machine.exe
\Shell\patch\command - D:\goodies\patch\patch2.exe
\Shell\setup\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 03:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 19:21:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-18 19:22:36
ComboFix-quarantined-files.txt 2008-04-18 23:22:02
ComboFix2.txt 2008-04-18 23:15:55
Pre-Run: 50,515,763,200 bytes free
Post-Run: 50,504,204,288 bytes free
.
2008-04-12 04:26:34 --- E O F ---
pskelley
2008-04-19, 01:50
Thanks for returning your information, I am not seeing a whole lot? We will remove what I see, clean good and see what happens.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
2) Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
5) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\hottvcxb.ini
C:\WINDOWS\system32\bxcvttoh.dll_old
C:\WINDOWS\BM1f09cefa.xml
C:\WINDOWS\system32\ssqRHaxW.dll_old
Folder::
C:\VundoFix Backups
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
(wait until you finish to post reports and logs)
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {4E5D1AD7-BD0B-4CCA-89B8-6D771603081C} - C:\WINDOWS\system32\tuvWoOIA.dll (file missing)
O2 - BHO: (no name) - {635AEAFB-B8A4-4DB4-894D-0E1071CC38CD} - C:\WINDOWS\system32\nnnnNhiG.dll (file missing)
O2 - BHO: (no name) - {8EC6A457-42EF-4BE1-8485-65B60CB306EA} - C:\WINDOWS\system32\rqRLeeDw.dll (file missing)
O2 - BHO: (no name) - {C6176705-5960-4AB9-AA44-DC7CB344AA4F} - C:\WINDOWS\system32\ssqRHaxW.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the report from combofix, a new HJT log and some feedback from you.
Thanks
jodeson06
2008-04-19, 02:42
Thanks again! As for feed back, I ran SpyBot and for the first time it did not detect virtumonde in a while.
Here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:06 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\jodeson06.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\WINDOWS\TEMP\E_S1F9.tmp" /EF "HKCU"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181345901858
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
--
End of file - 6466 bytes
and here's my combofix log:
ComboFix 08-04-17.1 - Jones 2008-04-18 20:10:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.626 [GMT -4:00]
Running from: C:\Documents and Settings\Jones\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jones\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BM1f09cefa.xml
C:\WINDOWS\system32\bxcvttoh.dll_old
C:\WINDOWS\system32\hottvcxb.ini
C:\WINDOWS\system32\ssqRHaxW.dll_old
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\byXNgghG.dll.bad
C:\WINDOWS\BM1f09cefa.xml
C:\WINDOWS\system32\bxcvttoh.dll_old
C:\WINDOWS\system32\hottvcxb.ini
C:\WINDOWS\system32\ssqRHaxW.dll_old
.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.
2008-04-18 18:52 . 2008-04-18 18:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-18 10:39 . 2008-04-18 10:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 10:39 . 2008-04-18 10:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 08:54 . 2008-04-18 08:54 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-04-18 01:20 . 2008-04-18 01:20 <DIR> d-------- C:\Program Files\GameSpot
2008-04-18 01:20 . 2008-04-18 01:20 <DIR> d-------- C:\Documents and Settings\All Users\temp
2008-04-18 01:20 . 2008-04-18 01:20 <DIR> d-------- C:\Documents and Settings\All Users\Gamespot
2008-04-17 21:12 . 2008-04-17 21:12 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-17 21:12 . 2008-04-17 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-17 17:21 . 2008-04-18 17:36 1,308 --a------ C:\WINDOWS\wininit.ini
2008-04-17 17:01 . 2008-04-17 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-09 13:54 . 2008-04-09 13:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-09 13:54 . 2008-04-09 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 13:52 . 2008-04-09 13:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-09 13:52 . 2008-04-09 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 23:33 . 2008-04-04 23:33 <DIR> d-------- C:\Program Files\iPod
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-24 14:33 . 2008-03-25 17:15 <DIR> d-------- C:\Program Files\Lineage II
2008-03-19 21:29 . 2008-03-19 21:29 <DIR> d-------- C:\Chat
2008-03-19 21:01 . 2008-03-19 21:01 <DIR> d-------- C:\Program Files\Funcom
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 00:01 --------- d-----w C:\Documents and Settings\Jones\Application Data\uTorrent
2008-04-18 05:20 5,917 ----a-w C:\Program Files\install.log
2008-04-18 01:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 01:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 14:04 --------- d-----w C:\Program Files\Java
2008-04-09 17:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 03:33 --------- d-----w C:\Program Files\iTunes
2008-04-05 03:32 --------- d-----w C:\Program Files\QuickTime
2008-04-04 23:39 --------- d-----w C:\Documents and Settings\Jones\Application Data\OpenOffice.org2
2008-03-19 15:28 --------- d-----w C:\Program Files\PBEMEmailer
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 14:06 --------- d-----w C:\Documents and Settings\Jones\Application Data\ATI
2008-03-18 14:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-03-18 14:03 --------- d-----w C:\Program Files\ATI Technologies
2008-03-18 13:45 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-18 13:45 --------- d-----w C:\Documents and Settings\Jones\Application Data\SystemRequirementsLab
2008-03-14 19:35 --------- d-----w C:\Documents and Settings\Jones\Application Data\Leadertech
2008-03-14 19:31 --------- d-----w C:\Program Files\epson
2008-03-14 19:29 --------- d-----w C:\Program Files\ArcSoft
2008-03-14 19:27 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-03-14 19:27 --------- d-----w C:\Documents and Settings\Jones\Application Data\ArcSoft
2008-03-14 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-08 03:56 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-03-04 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ironclad Games
2008-03-04 18:05 --------- d-----w C:\Program Files\Stardock
2008-02-27 23:23 --------- d-----w C:\Program Files\Saitek
2008-02-27 17:37 8,864 ----a-w C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2008-02-27 17:37 39,936 ----a-w C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2008-02-27 17:27 --------- d-----w C:\Program Files\Smart Projects
2008-02-27 17:17 --------- d-----w C:\Program Files\Microsoft Games
2008-02-27 17:07 --------- d-----w C:\Program Files\directx
2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-02-26 03:10 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-02-26 03:02 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-02-26 03:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-02-26 02:59 9,797,632 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-02-26 02:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-02-26 02:29 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-02-26 02:23 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-02-26 02:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-02-26 02:21 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-02-26 01:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2008-02-20 17:48 --------- d-----w C:\Program Files\THQ
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-18_19.15.31.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 23:07:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 00:02:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E5D1AD7-BD0B-4CCA-89B8-6D771603081C}]
C:\WINDOWS\system32\tuvWoOIA.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{635AEAFB-B8A4-4DB4-894D-0E1071CC38CD}]
C:\WINDOWS\system32\nnnnNhiG.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EC6A457-42EF-4BE1-8485-65B60CB306EA}]
C:\WINDOWS\system32\rqRLeeDw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6176705-5960-4AB9-AA44-DC7CB344AA4F}]
C:\WINDOWS\system32\ssqRHaxW.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"EPSON Stylus CX7400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.exe" [2007-02-15 06:00 179200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 04:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-09-23 19:04 2494464]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 17:12 32768]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 09:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 04:55 131072]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 10:48 147514]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 15:34 163840]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 12:09 126976]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Games\\Mechwarrior Mercenaries\\MW4MERCS.ICD"=
"C:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\mw4x\\MW4x.exe"=
"C:\\Program Files\\Stardock\\TotalGaming\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 NvNdis;NVIDIA NDIS IO Control Driver;C:\WINDOWS\system32\Drivers\NvNdis.sys [2004-12-13 09:44]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2003-09-02 06:22]
S3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-03-20 11:49]
S3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 11:49]
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys [2003-09-19 16:00]
S3 SaiH075C;SaiH075C;C:\WINDOWS\system32\DRIVERS\SaiH075C.sys [2006-07-27 07:49]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
\Shell\log\command - D:\goodies\machine\machine.exe -l
\Shell\machine\command - D:\goodies\machine\machine.exe
\Shell\patch\command - D:\goodies\patch\patch2.exe
\Shell\setup\command - D:\setup.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 03:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 20:12:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-18 20:14:00
ComboFix-quarantined-files.txt 2008-04-19 00:13:47
ComboFix2.txt 2008-04-18 23:22:37
ComboFix3.txt 2008-04-18 23:15:55
Pre-Run: 50,532,429,824 bytes free
Post-Run: 50,518,732,800 bytes free
.
2008-04-12 04:26:34 --- E O F ---
again, i can't express my thanks enough!
jodeson06
2008-04-19, 03:06
ugh, just did back to back Spybot searches and kept getting the same entries
pskelley
2008-04-19, 08:33
Thanks for returning your information and the feedback. Your HJT log looks clean of malware.
ugh, just did back to back Spybot searches and kept getting the same entries
1) If Spybot locates stuff it should remove it, if it does not it is most often because the program is not up to date and fully immunized. I ran an update this AM and you should be on:
Spybot S&D 1.5.2.20 Latest detection update - 2008-04-17. Be sure this is the case, and if it is I would like you to post issues with Spybot S&D here:
http://forums.spybot.info/forumdisplay.php?f=4 <<< Spybot forum
http://forums.spybot.info/forumdisplay.php?f=16 <<< false positives
Where experts with Spybot S&D can help with the issue.
2) Before we remove combofix from your computer, I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
pskelley
2008-04-26, 11:12
http://forums.spybot.info/showthread.php?t=288
Towards the end of a cleanup please make sure you follow through with any final log requested, even if it appears to you that your computer is back to normal operation.
As much as we like our members we would rather not see you back in a few weeks because there was no follow up with the helper.
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.