View Full Version : Adware.Virtumonde app
HJT Log as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:38, on 2008-07-01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmm.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\HostsMan\hostssrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {018B27FF-E05F-4CB5-8763-540CB3FD457A} - C:\WINDOWS\system32\ddcDtRLd.dll
O2 - BHO: (no name) - {2ECE29C1-3F16-4ECA-A5CA-D618BC5752A4} - C:\WINDOWS\system32\awtsQHwW.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {87831770-ea07-ffb8-ecf4-5756993538ad} - {da835399-6575-4fce-8bff-70ae07713878} - C:\WINDOWS\system32\cgdhng.dll
O2 - BHO: (no name) - {F8700F79-B2C1-4351-B025-AFED2CEEACC0} - C:\WINDOWS\system32\urqPjJDu.dll (file missing)
O4 - HKLM\..\Run: [PowerTweak Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [BM07a76409] Rundll32.exe "C:\WINDOWS\system32\vowxgebi.dll",s
O4 - HKLM\..\Run: [04945795] rundll32.exe "C:\WINDOWS\system32\uonmotpm.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3711] command /c del "C:\WINDOWS\system32\awtsQHwW.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2372] cmd /c del "C:\WINDOWS\system32\awtsQHwW.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5524] command /c del "C:\WINDOWS\system32\urqPjJDu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1816] cmd /c del "C:\WINDOWS\system32\urqPjJDu.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [HostsServer] "C:\Program Files\HostsMan\hostssrv.exe" --start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: ddcDtRLd - C:\WINDOWS\SYSTEM32\ddcDtRLd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
--
End of file - 5538 bytes
Unfortunately I seem to have allowed some stupid registry changes...
The Spybot log shows this:
2008-07-01 10:39:57 Allowed (based on user decision) value "SpybotDeletingB8737" (new data: "") deleted in System Startup user entry!
2008-07-01 10:39:58 Allowed (based on user decision) value "SpybotDeletingD5300" (new data: "") deleted in System Startup user entry!
2008-07-01 10:39:58 Allowed (based on user decision) value "04945795" (new data: "rundll32.exe "C:\WINDOWS\system32\uonmotpm.dll",b") added in System Startup global entry!
2008-07-01 10:40:03 Allowed (based on user decision) value "BM07a76409" (new data: "Rundll32.exe "C:\WINDOWS\system32\vowxgebi.dll",s") added in System Startup global entry!
2008-07-01 10:40:05 Allowed (based on user decision) value "SpybotDeletingA3711" (new data: "command /c del "C:\WINDOWS\system32\awtsQHwW.dll_old"") added in System Startup global entry!
2008-07-01 10:40:06 Allowed (based on user decision) value "SpybotDeletingC2372" (new data: "cmd /c del "C:\WINDOWS\system32\awtsQHwW.dll_old"") added in System Startup global entry!
2008-07-01 10:40:06 Allowed (based on user decision) value "SpybotDeletingA5524" (new data: "command /c del "C:\WINDOWS\system32\urqPjJDu.dll_old"") added in System Startup global entry!
2008-07-01 10:40:06 Allowed (based on user decision) value "SpybotDeletingC1816" (new data: "cmd /c del "C:\WINDOWS\system32\urqPjJDu.dll_old"") added in System Startup global entry!
2008-07-01 10:40:08 Allowed (based on user decision) value "SpybotDeletingA2859" (new data: "") deleted in System Startup global entry!
2008-07-01 10:40:09 Allowed (based on user decision) value "SpybotDeletingC8788" (new data: "") deleted in System Startup global entry!
2008-07-01 10:44:54 Denied (based on user decision) value "04945795" (new data: "") deleted in System Startup global entry!
I hope that I wasn't unclear...I really need help to remove this...please.
pskelley
2008-07-03, 14:55
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
A few minutes ago, I've managed to - what it seems - get rid of my Virtumonde problem...to be sure, I'm posting a new HJT log. Please forgive me for not telling you in advance, but I really needed my computer...If you still think I should go ahead with combofix, just let me know. Thanks for your great work!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:40:06, on 2008-07-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\WINDOWS\system32\mmm.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HostsMan\hostssrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [PowerTweak Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [HostsServer] "C:\Program Files\HostsMan\hostssrv.exe" --start
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
--
End of file - 4299 bytes
pskelley
2008-07-03, 15:50
I see no evidence of Vundo in this HJT log, you would surely know by the symptoms. Vundo often is not visable in HJT. Would you share how you removed it, it is always a battle. If you want a good double check:
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Thanks for your quick response.
I disconnected my computer from the internet, ran the fixes proposed by Spybot, NOD32 HJT. I read other forum threads and simply fixed the entries mentioned there.
Below you'll find logs from Spybot and NOD32.
Spybot:
2008-07-03 13:43:30 Denied (based on user decision) value "PowerTweak Menu" (new data: "") deleted in System Startup global entry!
2008-07-03 13:43:33 Allowed (based on user decision) value "BM07a76409" (new data: "") deleted in System Startup global entry!
2008-07-03 13:43:33 Denied (based on user blacklist) value "04945795" (new data: "") deleted in System Startup global entry!
2008-07-03 13:43:34 Allowed (based on user decision) value "{018B27FF-E05F-4CB5-8763-540CB3FD457A}" (new data: "") deleted in Browser Helper Object!
2008-07-03 13:43:35 Allowed (based on user decision) value "{2ECE29C1-3F16-4ECA-A5CA-D618BC5752A4}" (new data: "") deleted in Browser Helper Object!
2008-07-03 13:43:36 Allowed (based on user decision) value "{da835399-6575-4fce-8bff-70ae07713878}" (new data: "") deleted in Browser Helper Object!
2008-07-03 13:43:38 Allowed (based on user decision) value "{F8700F79-B2C1-4351-B025-AFED2CEEACC0}" (new data: "") deleted in Browser Helper Object!
2008-07-03 13:43:39 Allowed (based on user decision) value "ddcDtRLd" (new data: "") deleted in Winlogon Notifiers!
2008-07-03 13:45:16 Denied (based on user blacklist) value "04945795" (new data: "") deleted in System Startup global entry!
These were deleted by NOD32:
C:\WINDOWS\system32\boqohnil.dll
C:\WINDOWS\system32\ddcDtRLd.dll
C:\WINDOWS\system32\dttsfdhy.dll
C:\WINDOWS\system32\mcrbgg.dll
C:\WINDOWS\system32\ovofquqx.dll
C:\WINDOWS\system32\sudpmhbb.dll
c:\windows\system32\vowxgebi.dll
Hopefully my computer is clean now...
That sure took some time to run, but here's MBAM's logfile:
I didn't remove EvID4226Patch.exe since I sometimes use it (its d/l from www.lvllord.de).
Malwarebytes' Anti-Malware 1.19
Database version: 918
Windows 5.1.2600 Service Pack 3
20:39:42 2008-07-03
mbam-log-7-3-2008 (20-39-42).txt
Scan type: Full Scan (C:\|H:\|I:\|S:\|)
Objects scanned: 132637
Time elapsed: 4 hour(s), 16 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\04945795 (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
I:\program\EvID4226Patch.exe (Adware.Agent) -> Not selected for removal.
I:\program\New Folder\EvID4226Patch.exe (Adware.Agent) -> Not selected for removal.
I:\System Volume Information\_restore{602F229B-66F7-4B44-9CAA-5F7F6A1B9AB5}\RP223\A0058132.exe (Trojan.Agent) -> Quarantined and deleted successfully.
restarted and...well, now I hope its finally clean...thanks again!
Restarted and, to my surprise, I'm still infected! Maybe due to the fact that I restarted TeaTimer...(but I allowed the registry changes to be made).
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59:02, on 2008-07-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\WINDOWS\system32\mmm.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\HostsMan\hostssrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [PowerTweak Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [04945795] rundll32.exe "C:\WINDOWS\system32\uonmotpm.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [HostsServer] "C:\Program Files\HostsMan\hostssrv.exe" --start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
--
End of file - 4445 bytes
Malwarebytes' Anti-Malware 1.19
Database version: 918
Windows 5.1.2600 Service Pack 3
21:02:34 2008-07-03
mbam-log-7-3-2008 (21-02-32).txt
Scan type: Full Scan (C:\|)
Objects scanned: 42588
Time elapsed: 2 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\04945795 (Trojan.Vundo) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
pskelley
2008-07-03, 21:25
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\04945795 (Trojan.Vundo) -> No action taken. <<<
Why did you choose to take no action here?
Continue with my instructions in post #2, this junk is hard to get rid of.
Thanks
Deactived TeaTimer, ran MBAM again, ran the proposed fix and restarted.
Now, finally, both HJT and MBAM don't find anything...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:15, on 2008-07-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\WINDOWS\system32\mmm.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\HostsMan\hostssrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [PowerTweak Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [HostsServer] "C:\Program Files\HostsMan\hostssrv.exe" --start
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
--
End of file - 4355 bytes
Malwarebytes' Anti-Malware 1.19
Database version: 918
Windows 5.1.2600 Service Pack 3
21:15:34 2008-07-03
mbam-log-7-3-2008 (21-15-34).txt
Scan type: Full Scan (C:\|)
Objects scanned: 42502
Time elapsed: 2 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
pskelley
2008-07-03, 21:39
O4 - HKLM\..\Run: [04945795] rundll32.exe "C:\WINDOWS\system32\uonmotpm.dll",b
This is the item that was in this HJT log:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:59:02, on 2008-07-03
It is not in the most recent log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:19:15, on 2008-07-03
as I stated in my first post:
This can be a tough infection to remove so do not expect fast or easy.
If you have any more problem, disable TeaTimer and run combofix as I originally posted. I'll leave the topic open for a couple of days.
Thanks
Better safe than sorry - I ran ComboFix (as you suggested in your first post...sorry for that)...and of course it found more nasty things to delete:
ComboFix 08-07-03.5 - hans 2008-07-04 13:06:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1656 [GMT 2:00]
Running from: C:\Documents and Settings\hans\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\atrudkit.dll
C:\WINDOWS\system32\cgdhng.dll
C:\WINDOWS\system32\linhoqob.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mptomnou.ini
C:\WINDOWS\system32\uDJjPqru.ini
C:\WINDOWS\system32\uDJjPqru.ini2
C:\WINDOWS\system32\WwHQstwa.ini
C:\WINDOWS\system32\WwHQstwa.ini2
C:\WINDOWS\system32\yhdfsttd.ini
.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.
2008-07-04 13:10 . 2008-07-04 13:10 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-04 13:10 . 2008-07-04 13:10 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-03 17:04 . 2008-07-03 17:04 <DIR> d-------- C:\Program Files\WildEdit
2008-07-03 17:04 . 2008-07-03 17:04 <DIR> d-------- C:\Documents and Settings\hans\Application Data\Helios
2008-07-03 16:20 . 2008-07-03 16:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 16:20 . 2008-07-03 16:20 <DIR> d-------- C:\Documents and Settings\hans\Application Data\Malwarebytes
2008-07-03 16:20 . 2008-07-03 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 16:20 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-03 16:20 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-03 15:15 . 2008-07-03 15:15 <DIR> d-------- C:\Program Files\MinSl„kt V3
2008-07-03 15:09 . 2008-07-03 15:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-03 14:53 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-07-03 14:53 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-07-03 14:50 . 2008-07-03 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-03 12:36 . 2008-07-03 12:36 <DIR> d-------- C:\Documents and Settings\hans\Application Data\Media Player Classic
2008-07-03 07:50 . 2008-04-14 00:17 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-30 21:51 . 2008-06-30 21:51 <DIR> d-------- C:\Program Files\CCleaner
2008-06-30 21:21 . 2008-07-02 21:21 110,419 --a------ C:\WINDOWS\BM07a76409.xml
2008-06-30 18:48 . 2008-07-03 09:23 268 --a------ C:\WINDOWS\wininit.ini
2008-06-30 18:06 . 2008-06-30 18:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-30 18:06 . 2008-07-01 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 00:45 . 2008-06-30 00:45 <DIR> d-------- C:\Program Files\HostsMan
2008-06-30 00:45 . 2008-06-30 00:45 <DIR> d-------- C:\Documents and Settings\hans\Application Data\abelhadigital.com
2008-06-30 00:45 . 2008-06-30 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
2008-06-30 00:32 . 2008-06-30 00:32 <DIR> d-------- C:\Program Files\uTorrent
2008-06-30 00:31 . 2008-07-03 20:46 <DIR> d-------- C:\Documents and Settings\hans\Application Data\uTorrent
2008-06-30 00:28 . 2008-06-30 00:28 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-06-30 00:23 . 2008-07-03 14:50 <DIR> d-------- C:\Program Files\ESET
2008-06-30 00:21 . 2008-06-30 00:21 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-30 00:21 . 2007-08-18 08:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-30 00:21 . 2008-06-13 13:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-30 00:21 . 2008-06-13 13:05 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-30 00:21 . 2008-05-08 16:02 203,136 --a------ C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-30 00:21 . 2005-02-25 05:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-30 00:20 . 2008-06-30 00:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-30 00:18 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-30 00:18 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-30 00:15 . 2008-06-30 00:15 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-30 00:12 . 2008-06-30 00:12 <DIR> d-------- C:\ATI
2008-06-30 00:12 . 2008-06-02 21:05 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-06-30 00:09 . 2008-06-04 16:29 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-30 00:09 . 2008-01-10 14:30 442,368 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-06-30 00:09 . 2008-03-14 10:47 442,368 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-06-30 00:09 . 2008-02-26 17:55 9,417 --a------ C:\WINDOWS\system32\nvide.nvu
2008-06-30 00:09 . 2007-12-07 16:12 5,836 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-06-30 00:09 . 2008-03-12 12:14 3,948 --a------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-06-30 00:09 . 2007-12-07 14:34 2,016 --a------ C:\WINDOWS\system32\nvsmb.nvu
2008-06-30 00:08 . 2008-06-30 00:12 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-30 00:08 . 2008-06-30 00:08 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-30 00:08 . 2008-06-30 00:08 <DIR> d-------- C:\Program Files\ASUS
2008-06-30 00:06 . 2008-06-30 23:17 <DIR> d-------- C:\Documents and Settings\hans
2008-06-30 00:02 . 2008-06-30 00:02 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-06-30 00:02 . 2008-06-30 00:02 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-06-30 00:02 . 2008-06-30 00:02 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-30 00:02 . 2008-06-30 00:02 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-06-30 00:01 . 2008-06-30 00:01 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-06-12 18:25 . 2008-06-12 18:25 962,560 --a------ C:\WINDOWS\system32\VSFilter.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 14:44 --------- d-----w C:\Program Files\7-Zip
2008-07-03 13:15 --------- d-----w C:\Program Files\MinSläkt V3
2008-06-30 08:01 --------- d-----w C:\Program Files\Unlocker
2008-06-30 06:02 --------- d-----w C:\Program Files\Notepad++
2008-06-29 22:16 --------- d-----w C:\Program Files\Utilities
2008-06-29 21:56 --------- d-----w C:\Program Files\Windows IP Configuration Manager
2008-06-29 21:56 --------- d-----w C:\Program Files\TaskSwitchXP
2008-06-29 21:56 --------- d-----w C:\Program Files\Attribute Changer
2008-06-29 21:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-29 21:55 --------- d-----w C:\Program Files\JkDefragGUI
2008-06-03 06:20 3,100,160 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-03 03:46 10,276,864 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-06-03 03:22 413,696 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-06-03 03:21 306,688 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-06-03 03:11 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-06-03 03:11 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-06-03 03:11 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-06-03 03:09 552,960 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-06-03 03:08 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-06-03 03:04 245,760 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-06-03 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-06-03 02:59 3,500,352 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-06-03 02:48 2,120,832 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-06-03 02:33 48,128 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-06-03 02:29 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-06-03 02:28 23,040 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-06-03 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-06-03 02:27 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-06-03 02:22 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-06-03 02:21 557,056 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-05-21 15:37 58,368 ----a-w C:\WINDOWS\system32\sol.exe
2008-05-21 15:37 56,832 ----a-w C:\WINDOWS\system32\freecell.exe
2008-05-21 15:37 3,165,696 ----a-w C:\WINDOWS\system32\msgina.dll
2008-05-21 15:37 129,024 ----a-w C:\WINDOWS\system32\mshearts.exe
2008-05-21 15:37 121,344 ----a-w C:\WINDOWS\system32\winmine.exe
2008-05-21 15:37 1,564,672 ----a-w C:\WINDOWS\system32\spider.exe
2008-05-21 15:37 1,384,960 ----a-w C:\WINDOWS\system32\cards.dll
2008-05-21 15:36 13,022,208 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-05-21 15:35 94,720 ----a-w C:\WINDOWS\system32\mshta.exe
2008-05-21 15:35 70,144 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-05-21 15:35 547,328 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-05-21 15:35 527,872 ----a-w C:\WINDOWS\system32\wiaacmgr.exe
2008-05-21 15:35 52,224 ----a-w C:\WINDOWS\system32\winchat.exe
2008-05-21 15:35 351,232 ----a-w C:\WINDOWS\winhlp32.exe
2008-05-21 15:35 32,256 ----a-w C:\WINDOWS\system32\wupdmgr.exe
2008-05-21 15:35 30,208 ----a-w C:\WINDOWS\system32\write.exe
2008-05-21 15:35 3,291,648 ----a-w C:\WINDOWS\system32\wextract.exe
2008-05-21 15:35 204,800 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-21 15:35 199,680 ----a-w C:\WINDOWS\system32\wuauclt1.exe
2008-05-21 15:35 105,984 ----a-w C:\WINDOWS\system32\admparse.dll
2008-05-21 15:33 947,984 ----a-w C:\WINDOWS\system32\calc.exe
2008-05-21 15:32 941,630 ----a-w C:\WINDOWS\srchasst\srchui.dll
2008-05-21 15:31 927,232 ----a-w C:\WINDOWS\system32\rasdlg.dll
2008-05-21 15:30 979,456 ----a-w C:\WINDOWS\system32\netplwiz.dll
2008-05-21 15:29 97,280 ----a-w C:\WINDOWS\system32\inetres.dll
2008-05-21 15:28 724,992 ----a-w C:\WINDOWS\system32\comctl32.dll
2008-05-21 15:20 89,856 ----a-w C:\WINDOWS\system32\drivers\nvatabus.sys
2008-05-21 15:20 295,424 ----a-w C:\WINDOWS\system32\idecoi.dll
2008-05-21 15:20 16,640 ----a-w C:\WINDOWS\system32\drivers\nvcchflt.sys
2008-05-21 15:19 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
2008-05-21 15:19 5,810 ----a-w C:\WINDOWS\system32\drivers\ASACPI.sys
2008-05-21 15:19 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-05-21 15:19 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-05-21 15:19 140,288 ----a-w C:\WINDOWS\system32\sfc_os.dll
2008-05-21 15:01 99,840 ----a-w C:\WINDOWS\system32\wmpshell.dll
2008-05-21 15:01 603,648 ----a-w C:\WINDOWS\system32\wmspdmod.dll
2008-05-21 15:01 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
2008-05-21 15:01 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
2008-05-21 15:01 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
2008-05-21 15:01 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
2008-05-21 15:01 314,880 ----a-w C:\WINDOWS\system32\wmpdxm.dll
2008-05-21 15:01 242,688 ----a-w C:\WINDOWS\system32\wmpasf.dll
2008-05-21 15:01 1,329,152 ----a-w C:\WINDOWS\system32\wmspdmoe.dll
2008-05-08 14:28 294,920 ----a-w C:\WINDOWS\system32\autoitx3.dll
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 20:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-14 05:42 74,752 ----a-w C:\WINDOWS\system32\storprop.dll
2008-04-14 05:42 74,240 ----a-w C:\WINDOWS\system32\usbui.dll
2008-04-14 05:42 29,184 ----a-w C:\WINDOWS\system32\sdhcinst.dll
2008-04-14 05:41 30,208 ----a-w C:\WINDOWS\system32\bthserv.dll
2008-04-14 05:41 21,504 ----a-w C:\WINDOWS\system32\hidserv.dll
2008-04-14 05:41 20,992 ----a-w C:\WINDOWS\system32\bthci.dll
2008-04-14 03:41 4,096 ----a-w C:\WINDOWS\system32\ksuser.dll
2008-04-14 02:10 1,296,669 ----a-r C:\WINDOWS\SET3.tmp
2008-04-14 02:10 1,296,669 ----a-r C:\WINDOWS\SET27.tmp
2008-04-14 02:04 16,535 ----a-r C:\WINDOWS\SET8.tmp
2008-04-14 02:04 16,535 ----a-r C:\WINDOWS\SET36.tmp
2008-04-14 02:04 1,088,840 ----a-r C:\WINDOWS\SET4.tmp
2008-04-14 02:04 1,088,840 ----a-r C:\WINDOWS\SET2A.tmp
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\Dcache.bin
2008-04-14 00:21 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll
2008-04-14 00:21 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll
.
------- Sigcheck -------
2008-05-21 17:19 361344 68f06fe0021b01e670af37b8c5964fdf C:\WINDOWS\system32\drivers\tcpip.sys
2008-05-21 17:35 547328 a55b8899d2ea2e800061bcfd456e34dc C:\WINDOWS\system32\winlogon.exe
2008-05-21 17:33 1551872 c26978d5f821a7330439dd7f0aaaf678 C:\WINDOWS\explorer.exe
2008-05-21 17:33 25088 b5e8782d4af1b3756f38e11e7c157bbe C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-21 17:33 25088]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 14:59 62976]
"HostsServer"="C:\Program Files\HostsMan\hostssrv.exe" [2008-06-15 18:06 1822720]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-01 22:15 15872]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 13:21 61440]
"PowerTweak Menu"="C:\WINDOWS\system32\mmm.exe" [2005-07-05 03:04 828416]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"SoundMan"="SOUNDMAN.EXE" [2005-02-02 10:47 77824 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 14:59 62976]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys [2008-05-21 17:20]
R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2008-01-25 20:01]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
*Newly Created Service* - HELPSVC
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{018B27FF-E05F-4CB5-8763-540CB3FD457A} - (no file)
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 13:11:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-04 13:12:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 11:12:02
Pre-Run: 245,666,009,088 bytes free
Post-Run: 245,670,064,128 bytes free
257 --- E O F --- 2008-06-29 22:23:16
pskelley
2008-07-04, 14:28
You had quite a bit of infection still hiding as you can see from what combofix deleted. The original instructions were:
Post the combofix log and a new HJT log.I need to see the new HJT log.
Thanks
Sorry for not reading your instructions careful enough. Here's the latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:06, on 2008-07-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\WINDOWS\system32\mmm.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\HostsMan\hostssrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [PowerTweak Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [HostsServer] "C:\Program Files\HostsMan\hostssrv.exe" --start
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
--
End of file - 4325 bytes
pskelley
2008-07-05, 14:24
Thanks for the HJT log, I can not find anything good about this item and will remove it unless you know what it is:
C:\WINDOWS\system32\mmm.exe
http://www.google.com/search?hl=en&q=mmm.exe&btnG=Google+Search
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\mmm.exe
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Post the combofix log from CFScript and a last HJT log and tell me of any malware issues.
Thanks
Here are the logs after deleteing mmm.exe. No reboot was asked for by ComboFix.
ComboFix 08-07-05.1 - hans 2008-07-07 16:44:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1528 [GMT 2:00]
Running from: C:\Documents and Settings\hans\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\hans\Desktop\CFScript
* Created a new restore point
FILE ::
C:\WINDOWS\system32\mmm.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\mmm.exe
.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.
2008-07-05 15:23 . 2008-07-05 15:23 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-05 15:23 . 2008-07-05 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-05 15:20 . 2008-07-05 15:23 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-05 15:08 . 2008-07-05 15:08 162 --a------ C:\WINDOWS\ODBC.INI
2008-07-05 15:05 . 2008-07-05 15:05 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-05 15:04 . 2008-07-05 15:04 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-07-05 15:03 . 2008-07-05 15:03 <DIR> dr-h----- C:\MSOCache
2008-07-05 15:03 . 2008-07-06 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-05 14:57 . 2008-07-05 14:57 <DIR> d-------- C:\Program Files\Windows Live
2008-07-05 14:55 . 2008-07-05 14:55 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-07-05 12:38 . 2008-07-05 12:38 <DIR> d-------- C:\Documents and Settings\hans\Application Data\DAEMON Tools
2008-07-05 12:38 . 2008-07-05 12:38 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-05 12:30 . 2008-07-05 12:30 <DIR> d-------- C:\Program Files\Dell
2008-07-05 12:01 . 2006-01-05 14:55 22,663 -ra------ C:\WINDOWS\system32\DELG1LMK.DLL
2008-07-05 12:01 . 2005-09-09 13:59 508 -ra------ C:\WINDOWS\system32\DELG1lmk.smt
2008-07-05 11:59 . 2008-07-05 11:59 <DIR> d-------- C:\dell
2008-07-05 11:59 . 2005-12-12 15:56 151,552 --a------ C:\WINDOWS\system32\d1815ci.exe
2008-07-05 11:59 . 2005-12-12 15:57 135,168 --a------ C:\WINDOWS\system32\VdSetup.Exe
2008-07-05 11:59 . 2005-12-12 15:57 57,344 --a------ C:\WINDOWS\system32\d1815ci.dll
2008-07-05 11:59 . 2005-12-12 15:57 53,248 --a------ C:\WINDOWS\system32\VdSetup.dll
2008-07-04 13:10 . 2008-07-04 13:10 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-04 13:10 . 2008-07-04 13:10 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-03 17:04 . 2008-07-03 17:04 <DIR> d-------- C:\Program Files\WildEdit
2008-07-03 17:04 . 2008-07-03 17:04 <DIR> d-------- C:\Documents and Settings\hans\Application Data\Helios
2008-07-03 16:20 . 2008-07-03 16:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 16:20 . 2008-07-03 16:20 <DIR> d-------- C:\Documents and Settings\hans\Application Data\Malwarebytes
2008-07-03 16:20 . 2008-07-03 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 16:20 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-03 16:20 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-03 15:15 . 2008-07-03 15:15 <DIR> d-------- C:\Program Files\MinSläkt V3
2008-07-03 15:09 . 2008-07-03 15:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-03 14:53 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-07-03 14:53 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-07-03 14:50 . 2008-07-03 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-03 12:36 . 2008-07-03 12:36 <DIR> d-------- C:\Documents and Settings\hans\Application Data\Media Player Classic
2008-07-03 07:50 . 2008-04-14 00:17 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-30 21:51 . 2008-06-30 21:51 <DIR> d-------- C:\Program Files\CCleaner
2008-06-30 21:21 . 2008-07-02 21:21 110,419 --a------ C:\WINDOWS\BM07a76409.xml
2008-06-30 18:48 . 2008-07-03 09:23 268 --a------ C:\WINDOWS\wininit.ini
2008-06-30 18:06 . 2008-06-30 18:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-30 18:06 . 2008-07-01 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 00:45 . 2008-06-30 00:45 <DIR> d-------- C:\Program Files\HostsMan
2008-06-30 00:45 . 2008-06-30 00:45 <DIR> d-------- C:\Documents and Settings\hans\Application Data\abelhadigital.com
2008-06-30 00:45 . 2008-06-30 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
2008-06-30 00:32 . 2008-06-30 00:32 <DIR> d-------- C:\Program Files\uTorrent
2008-06-30 00:31 . 2008-07-07 16:43 <DIR> d-------- C:\Documents and Settings\hans\Application Data\uTorrent
2008-06-30 00:28 . 2008-06-30 00:28 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-06-30 00:23 . 2008-07-03 14:50 <DIR> d-------- C:\Program Files\ESET
2008-06-30 00:21 . 2008-06-30 00:21 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-30 00:21 . 2007-08-18 08:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-30 00:21 . 2008-06-13 13:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-30 00:21 . 2008-06-13 13:05 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-30 00:21 . 2008-05-08 16:02 203,136 --a------ C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-30 00:21 . 2005-02-25 05:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-30 00:20 . 2008-06-30 00:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-30 00:18 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-30 00:18 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-30 00:15 . 2008-06-30 00:15 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-30 00:12 . 2008-06-30 00:12 <DIR> d-------- C:\ATI
2008-06-30 00:12 . 2008-06-02 21:05 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-06-30 00:09 . 2008-06-04 16:29 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-30 00:09 . 2008-01-10 14:30 442,368 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-06-30 00:09 . 2008-03-14 10:47 442,368 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-06-30 00:09 . 2008-02-26 17:55 9,417 --a------ C:\WINDOWS\system32\nvide.nvu
2008-06-30 00:09 . 2007-12-07 16:12 5,836 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-06-30 00:09 . 2008-03-12 12:14 3,948 --a------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-06-30 00:09 . 2007-12-07 14:34 2,016 --a------ C:\WINDOWS\system32\nvsmb.nvu
2008-06-30 00:08 . 2008-07-05 12:30 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-30 00:08 . 2008-06-30 00:08 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-30 00:08 . 2008-06-30 00:08 <DIR> d-------- C:\Program Files\ASUS
2008-06-30 00:06 . 2008-07-05 12:31 <DIR> d-------- C:\Documents and Settings\hans
2008-06-30 00:02 . 2008-06-30 00:02 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-06-30 00:02 . 2008-06-30 00:02 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-06-30 00:02 . 2008-06-30 00:02 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-30 00:02 . 2008-06-30 00:02 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-06-30 00:01 . 2008-06-30 00:01 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-06-12 18:25 . 2008-06-12 18:25 962,560 --a------ C:\WINDOWS\system32\VSFilter.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 14:44 --------- d-----w C:\Program Files\7-Zip
2008-06-30 08:01 --------- d-----w C:\Program Files\Unlocker
2008-06-30 06:02 --------- d-----w C:\Program Files\Notepad++
2008-06-29 22:16 --------- d-----w C:\Program Files\Utilities
2008-06-29 21:56 --------- d-----w C:\Program Files\Windows IP Configuration Manager
2008-06-29 21:56 --------- d-----w C:\Program Files\TaskSwitchXP
2008-06-29 21:56 --------- d-----w C:\Program Files\Attribute Changer
2008-06-29 21:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-29 21:55 --------- d-----w C:\Program Files\JkDefragGUI
2008-06-03 06:20 3,100,160 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-03 03:46 10,276,864 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-06-03 03:22 413,696 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-06-03 03:21 306,688 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-06-03 03:11 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-06-03 03:11 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-06-03 03:11 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-06-03 03:09 552,960 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-06-03 03:08 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-06-03 03:04 245,760 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-06-03 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-06-03 02:59 3,500,352 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-06-03 02:48 2,120,832 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-06-03 02:33 48,128 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-06-03 02:29 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-06-03 02:28 23,040 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-06-03 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-06-03 02:27 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-06-03 02:22 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-06-03 02:21 557,056 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-05-21 15:37 58,368 ----a-w C:\WINDOWS\system32\sol.exe
2008-05-21 15:37 56,832 ----a-w C:\WINDOWS\system32\freecell.exe
2008-05-21 15:37 3,165,696 ----a-w C:\WINDOWS\system32\msgina.dll
2008-05-21 15:37 129,024 ----a-w C:\WINDOWS\system32\mshearts.exe
2008-05-21 15:37 121,344 ----a-w C:\WINDOWS\system32\winmine.exe
2008-05-21 15:37 1,564,672 ----a-w C:\WINDOWS\system32\spider.exe
2008-05-21 15:37 1,384,960 ----a-w C:\WINDOWS\system32\cards.dll
2008-05-21 15:36 13,022,208 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-05-21 15:35 94,720 ----a-w C:\WINDOWS\system32\mshta.exe
2008-05-21 15:35 70,144 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-05-21 15:35 547,328 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-05-21 15:35 527,872 ----a-w C:\WINDOWS\system32\wiaacmgr.exe
2008-05-21 15:35 52,224 ----a-w C:\WINDOWS\system32\winchat.exe
2008-05-21 15:35 351,232 ----a-w C:\WINDOWS\winhlp32.exe
2008-05-21 15:35 32,256 ----a-w C:\WINDOWS\system32\wupdmgr.exe
2008-05-21 15:35 30,208 ----a-w C:\WINDOWS\system32\write.exe
2008-05-21 15:35 3,291,648 ----a-w C:\WINDOWS\system32\wextract.exe
2008-05-21 15:35 204,800 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-21 15:35 199,680 ----a-w C:\WINDOWS\system32\wuauclt1.exe
2008-05-21 15:35 105,984 ----a-w C:\WINDOWS\system32\admparse.dll
2008-05-21 15:33 947,984 ----a-w C:\WINDOWS\system32\calc.exe
2008-05-21 15:32 941,630 ----a-w C:\WINDOWS\srchasst\srchui.dll
2008-05-21 15:31 927,232 ----a-w C:\WINDOWS\system32\rasdlg.dll
2008-05-21 15:30 979,456 ----a-w C:\WINDOWS\system32\netplwiz.dll
2008-05-21 15:29 97,280 ----a-w C:\WINDOWS\system32\inetres.dll
2008-05-21 15:28 724,992 ----a-w C:\WINDOWS\system32\comctl32.dll
2008-05-21 15:20 89,856 ----a-w C:\WINDOWS\system32\drivers\nvatabus.sys
2008-05-21 15:20 295,424 ----a-w C:\WINDOWS\system32\idecoi.dll
2008-05-21 15:20 16,640 ----a-w C:\WINDOWS\system32\drivers\nvcchflt.sys
2008-05-21 15:19 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
2008-05-21 15:19 5,810 ----a-w C:\WINDOWS\system32\drivers\ASACPI.sys
2008-05-21 15:19 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-05-21 15:19 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-05-21 15:19 140,288 ----a-w C:\WINDOWS\system32\sfc_os.dll
2008-05-21 15:01 99,840 ----a-w C:\WINDOWS\system32\wmpshell.dll
2008-05-21 15:01 603,648 ----a-w C:\WINDOWS\system32\wmspdmod.dll
2008-05-21 15:01 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
2008-05-21 15:01 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
2008-05-21 15:01 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
2008-05-21 15:01 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
2008-05-21 15:01 314,880 ----a-w C:\WINDOWS\system32\wmpdxm.dll
2008-05-21 15:01 242,688 ----a-w C:\WINDOWS\system32\wmpasf.dll
2008-05-21 15:01 1,329,152 ----a-w C:\WINDOWS\system32\wmspdmoe.dll
2008-05-08 14:28 294,920 ----a-w C:\WINDOWS\system32\autoitx3.dll
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 20:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-14 05:42 74,752 ----a-w C:\WINDOWS\system32\storprop.dll
2008-04-14 05:42 74,240 ----a-w C:\WINDOWS\system32\usbui.dll
2008-04-14 05:42 29,184 ----a-w C:\WINDOWS\system32\sdhcinst.dll
2008-04-14 05:41 30,208 ----a-w C:\WINDOWS\system32\bthserv.dll
2008-04-14 05:41 21,504 ----a-w C:\WINDOWS\system32\hidserv.dll
2008-04-14 05:41 20,992 ----a-w C:\WINDOWS\system32\bthci.dll
2008-04-14 03:41 4,096 ----a-w C:\WINDOWS\system32\ksuser.dll
2008-04-14 02:10 1,296,669 ----a-r C:\WINDOWS\SET3.tmp
2008-04-14 02:10 1,296,669 ----a-r C:\WINDOWS\SET27.tmp
2008-04-14 02:04 16,535 ----a-r C:\WINDOWS\SET8.tmp
2008-04-14 02:04 16,535 ----a-r C:\WINDOWS\SET36.tmp
2008-04-14 02:04 1,088,840 ----a-r C:\WINDOWS\SET4.tmp
2008-04-14 02:04 1,088,840 ----a-r C:\WINDOWS\SET2A.tmp
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\Dcache.bin
2008-04-14 00:21 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll
2008-04-14 00:21 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll
2008-04-14 00:21 483,840 ----a-w C:\WINDOWS\system32\wzcsvc.dll
.
------- Sigcheck -------
2008-05-21 17:19 361344 68f06fe0021b01e670af37b8c5964fdf C:\WINDOWS\system32\drivers\tcpip.sys
2008-05-21 17:35 547328 a55b8899d2ea2e800061bcfd456e34dc C:\WINDOWS\system32\winlogon.exe
2008-05-21 17:33 1551872 c26978d5f821a7330439dd7f0aaaf678 C:\WINDOWS\explorer.exe
2008-05-21 17:33 25088 b5e8782d4af1b3756f38e11e7c157bbe C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-21 17:33 25088]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 14:59 62976]
"HostsServer"="C:\Program Files\HostsMan\hostssrv.exe" [2008-06-15 18:06 1822720]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-04 17:01 486856]
"Windows Live FolderShare"="C:\Program Files\Windows Live\FolderShare\FolderShare.exe" [2008-05-30 12:14 1326624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-01 22:15 15872]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 13:21 61440]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"DellNSCST_GRNCH"="C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-08-28 19:17 278528]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"SoundMan"="SOUNDMAN.EXE" [2005-02-02 10:47 77824 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 14:59 62976]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Dell\\Dell Laser MFP 1815\\NetworkScan\\DNSCST.exe"=
"C:\\Program Files\\Windows Live\\FolderShare\\FolderShare.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys [2008-05-21 17:20]
R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2008-01-25 20:01]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2008-05-21 17:34]
*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-PowerTweak Menu - C:\WINDOWS\system32\mmm.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 16:45:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-07 16:46:02
ComboFix-quarantined-files.txt 2008-07-07 14:45:58
Pre-Run: 241,690,230,784 bytes free
Post-Run: 241,719,504,896 bytes free
267 --- E O F --- 2008-07-06 20:06:39
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:51:26, on 2008-07-07
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Windows Live\FolderShare\FolderShare.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [HostsServer] "C:\Program Files\HostsMan\hostssrv.exe" --start
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Program Files\Windows Live\FolderShare\FolderShare.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
--
End of file - 7231 bytes
pskelley
2008-07-07, 17:14
Post the combofix log from CFScript and a last HJT log and tell me of any malware issues.
If all is running as it should, then remove combofix from your computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
If all is running as it should, then remove combofix from your computer
There are no symptoms of infections since a couple of days, so I hope that my computer is clean. Combofix is removed.
Thanks a bunch for your efforts, knowledge and patience!