View Full Version : HJT log, Please help! Virtumonde!
Hi sorry I did already post this yesterday morning but have not received help, I'm going crazy!!! Spybot has detected virtumonde more than once aswell as others I don't recall its/their name. I have done another log and am trying to keep internet offline as much as possible.
please please help!!! Thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:40:56, on 30/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VistaDrive.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\DNA\btdna.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.yahoo.com/search?p=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {236bd960-2fab-4645-9bc1-dae85904734e} - (no file)
O3 - Toolbar: (no name) - {236bd960-2fab-4645-9bc1-dae85904734e} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive.exe /NOTRAY
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Admin\svchost.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [c481d2b2] rundll32.exe "C:\WINDOWS\system32\akvnewoi.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMc7b2e12e] Rundll32.exe "C:\WINDOWS\system32\gftjfbnn.dll",s
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 7033 bytes
http://forums.spybot.info/showthread.php?t=30225
shelf life
2008-07-03, 02:35
hi di1985,
we will get a download to use and maybe another later.first: Combofix:
Download combofix from one of these links and save it to your Desktop:
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
shelf life
fantastic thanks. Ok combo fix and HJT reports below(combofix attached aswell as copied - wasnt sure which you wanted). Spybot kept popping up asking qbout registry changes which i kept denying, will this be denying combofix from working properly?? Thanks!!!
2008-07-04 15:53 . 2008-07-04 15:53 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-04 15:53 . 2008-07-04 15:53 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-30 21:40 . 2008-06-30 21:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 13:10 . 2008-07-04 15:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-29 12:01 . 2008-07-04 13:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-29 12:01 . 2008-07-02 09:52 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-06-29 12:01 . 2008-07-04 13:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-29 12:00 . 2008-07-04 13:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-29 12:00 . 2008-06-29 12:00 <DIR> d-------- C:\Program Files\AVG
2008-06-29 11:00 . 2008-06-29 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-29 10:35 . 2008-06-29 10:35 294 --ahs---- C:\WINDOWS\system32\cwxsybiq.ini
2008-06-28 20:08 . 2008-07-02 20:01 500 --a------ C:\WINDOWS\wininit.ini
2008-06-28 19:56 . 2008-06-28 19:57 <DIR> d-------- C:\Program Files\Kontiki
2008-06-28 19:55 . 2008-06-28 19:55 <DIR> d-------- C:\Program Files\Channel4
2008-06-28 19:13 . 2008-06-28 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-28 19:12 . 2008-06-28 19:12 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2008-06-28 18:47 . 2008-06-28 18:47 <DIR> d-------- C:\Program Files\EasyDVDClone
2008-06-28 18:47 . 2008-06-28 18:47 <DIR> d-------- C:\Program Files\Alky for Applications
2008-06-28 18:46 . 2008-06-28 18:46 <DIR> d-------- C:\Program Files\Uniblue
2008-06-28 18:46 . 2008-07-04 15:49 <DIR> d-------- C:\Program Files\SPSSEVAL
2008-06-28 18:46 . 2008-06-28 18:46 <DIR> d-------- C:\Program Files\nLite
2008-06-28 09:29 . 2008-06-28 09:29 2,540 --a------ C:\WINDOWS\unins000.dat
2008-06-28 08:49 . 2008-07-02 07:19 110,442 --a------ C:\WINDOWS\BMc7b2e12e.xml
2008-06-27 17:40 . 2008-06-29 13:10 <DIR> d-------- C:\WINDOWS\system32\modtrux05
2008-06-27 17:40 . 2008-06-27 17:40 <DIR> d-------- C:\Temp\syschk3
2008-06-27 17:40 . 2008-06-27 17:40 <DIR> d-------- C:\Temp
2008-06-27 17:40 . 2008-06-27 17:49 <DIR> d--hs---- C:\Documents and Settings\Admin\!
2008-06-25 20:35 . 2008-06-25 20:35 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-06-19 20:36 . 2008-06-19 20:36 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\dvdcss
2008-06-19 13:41 . 2008-06-19 20:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 09:44 . 2008-06-19 09:44 <DIR> d-------- C:\Program Files\Xilisoft
2008-06-19 09:40 . 2008-06-19 09:40 <DIR> d-------- C:\WINDOWS\system32\quicktime
2008-06-19 09:40 . 2008-06-19 09:40 <DIR> d-------- C:\Program Files\AVI Movie Player
2008-06-19 09:19 . 2006-10-04 07:06 1,197,294 --a------ C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-06-19 09:19 . 2006-10-04 07:06 764,868 --a------ C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-06-19 09:19 . 2006-10-04 07:06 217,118 --a------ C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-06-15 12:03 . 2008-06-15 12:03 <DIR> d-------- C:\Program Files\BitTorrent
2008-06-12 12:41 . 2008-06-12 12:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-11 11:55 . 2008-06-11 11:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-11 03:02 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 03:02 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 03:02 . 2008-05-08 05:14 203,008 --a------ C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 02:22 . 2008-06-28 19:39 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\LimeWire
2008-06-07 14:19 . 2008-07-04 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-07 14:19 . 2008-06-07 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 22:52 --------- d-----w C:\Documents and Settings\Admin\Application Data\DNA
2008-07-03 01:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-01 18:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-01 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-06-29 02:39 --------- d-----w C:\Documents and Settings\Admin\Application Data\FrostWire
2008-06-23 17:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\BitTorrent
2008-06-11 10:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-07 21:11 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVGTOOLBAR
2008-05-27 01:25 --------- d-----w C:\Documents and Settings\Admin\Application Data\ExplorerPlus
2008-05-27 01:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-27 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
2008-05-27 00:56 --------- d-----w C:\Program Files\PowerISO
2008-05-27 00:49 --------- d-----w C:\Program Files\DNA
2008-05-24 19:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-24 19:44 --------- d-----w C:\Program Files\Bethesda Softworks
2008-05-24 19:32 --------- d-----w C:\Program Files\Fox
2008-05-24 18:31 --------- d-----w C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-05-24 18:29 --------- d-----w C:\Program Files\BitLord
2008-05-24 18:20 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-24 00:01 --------- d-----w C:\Program Files\Java
2008-05-24 00:01 --------- d-----w C:\Program Files\Common Files\Java
2008-05-23 10:12 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback
2008-05-23 10:10 --------- d-----w C:\Program Files\Opera
2008-05-23 10:06 --------- d-----w C:\Program Files\BlackXP
2008-05-22 22:09 --------- d-----w C:\Program Files\MSBuild
2008-05-22 22:09 --------- d-----w C:\Program Files\Microsoft Works
2008-05-22 22:03 --------- d-----w C:\Documents and Settings\Admin\Application Data\Nero
2008-05-22 20:41 --------- d-----w C:\Program Files\Tiger System Preferences v2
2008-05-22 20:33 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-22 20:33 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\TuneUp Software
2008-05-22 20:33 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-05-22 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-22 20:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\TuneUp Software
2008-05-22 20:32 --------- d-----w C:\Program Files\BackupFox
2008-05-22 20:28 --------- d-----w C:\Program Files\Utilities
2008-05-22 20:26 --------- d-----w C:\Program Files\Microsoft Games
2008-05-22 20:25 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\uTorrent
2008-05-22 20:25 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-22 20:25 --------- d-----w C:\Program Files\Driver-Soft
2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-22 08:02 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 08:02 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 08:02 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.
------- Sigcheck -------
2007-12-28 06:39 2221824 86889d12db125d402d618ed36bf7e166 C:\WINDOWS\system32\ntkrnlpa.exe
2007-12-28 06:34 2345216 31610d15a02ce89554172a03e5268efa C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-26 17:49 289088]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 13:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-10 12:22 1260296]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD5375"="del" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 08:13 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 08:13 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 08:13 137752]
"VistaDrive"="C:\WINDOWS\VistaDrive.exe" [2007-10-11 16:19 1596230]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 16:50 233472]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 13:23 1232152]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 02:50 16855552 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 10:43 69632 C:\WINDOWS\ALCMTR.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA420"="command" [X]
"SpybotDeletingA3394"="command" [X]
"SpybotDeletingC8921"="del" [X]
"SpybotDeletingA5502"="command" [X]
"SpybotDeletingC3938"="del" [X]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R0 iastor76;iastor76;C:\WINDOWS\system32\drivers\iastor76.sys [2007-12-28 07:10]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 13:22]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 13:23]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-03 13:00]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-22 13:33]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-06-29 02:39:24 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{0262C3AB-8F92-4BDA-ADEC-C630C9898A75} - C:\WINDOWS\system32\opnnNdba.dll
BHO-{39690754-8BCE-4307-9EA3-A996028060CB} - C:\WINDOWS\system32\jkkihExX.dll
BHO-{492BA8E1-C04D-4B6F-AA60-382D4871C275} - C:\WINDOWS\system32\qoMfgeca.dll
BHO-{BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\iifcATjj.dll
BHO-{C50B1740-F4DA-45C6-925A-BF5DA2510805} - C:\WINDOWS\system32\ssqRjjkj.dll
BHO-{DB64606A-AD4B-4637-B693-4924C017D9E1} - C:\WINDOWS\system32\xxyWmLee.dll
Toolbar-{236bd960-2fab-4645-9bc1-dae85904734e} - (no file)
WebBrowser-{236BD960-2FAB-4645-9BC1-DAE85904734E} - (no file)
HKCU-Run-Uniblue SpeedUpMyPC - (no file)
HKLM-Run-NBKeyScan - C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-c481d2b2 - C:\WINDOWS\system32\svycnafh.dll
HKLM-Run-BMc7b2e12e - C:\WINDOWS\system32\adbwreua.dll
HKLM-Run-Host Process - C:\Documents and Settings\Admin\svchost.exe
ShellExecuteHooks-{BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\iifcATjj.dll
Notify-iifcATjj - iifcATjj.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 15:53:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wbem\wmiadap.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-04 15:57:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 22:57:32
Pre-Run: 49,601,445,888 bytes free
Post-Run: 49,631,870,976 bytes free
247 --- E O F --- 2008-07-01 20:38:35
__________________________________________________________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:03:09, on 04/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VistaDrive.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {236bd960-2fab-4645-9bc1-dae85904734e} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {236bd960-2fab-4645-9bc1-dae85904734e} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive.exe /NOTRAY
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Admin\svchost.exe
O4 - HKLM\..\Run: [BMc7b2e12e] Rundll32.exe "C:\WINDOWS\system32\adbwreua.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA420] command /c del "C:\WINDOWS\system32\ssqRjjkj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3394] command /c del "C:\WINDOWS\system32\ssqRjjkj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8921] cmd /c del "C:\WINDOWS\system32\ssqRjjkj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5502] command /c del "C:\WINDOWS\system32\ssqRjjkj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3938] cmd /c del "C:\WINDOWS\system32\ssqRjjkj.dll_old"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD5375] cmd /c del "C:\WINDOWS\system32\xxyWmLee.dll_old"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 7537 bytes
OH! I should add that i have been deleting 'cftmon' from processes and this has aloowed me to access facebook/yahoo etc again
shelf life
2008-07-05, 00:00
hi,
thanks for the info, looks like the top part of the combofix log got cut off. i cant tell if it removed anything.
lets turn off tea timer for now also:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
after the reboot please rerun combofix:
double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
oh this is such a relief to be getting help!! logs below and again attached combo log as unsure if you want it that way!
Ive read of this
ComboFix 08-07-03.5 - Admin 2008-07-04 22:27:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.583 [GMT -7:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.
2008-07-04 15:53 . 2008-07-04 15:53 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-04 15:53 . 2008-07-04 15:53 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-30 21:40 . 2008-06-30 21:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 13:10 . 2008-07-04 15:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-29 12:01 . 2008-07-04 13:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-29 12:01 . 2008-07-02 09:52 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-06-29 12:01 . 2008-07-04 13:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-29 12:00 . 2008-07-04 13:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-29 12:00 . 2008-06-29 12:00 <DIR> d-------- C:\Program Files\AVG
2008-06-29 11:00 . 2008-06-29 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-29 10:35 . 2008-06-29 10:35 294 --ahs---- C:\WINDOWS\system32\cwxsybiq.ini
2008-06-28 20:08 . 2008-07-02 20:01 500 --a------ C:\WINDOWS\wininit.ini
2008-06-28 19:56 . 2008-06-28 19:57 <DIR> d-------- C:\Program Files\Kontiki
2008-06-28 19:55 . 2008-06-28 19:55 <DIR> d-------- C:\Program Files\Channel4
2008-06-28 19:13 . 2008-06-28 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-28 19:12 . 2008-06-28 19:12 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2008-06-28 18:47 . 2008-06-28 18:47 <DIR> d-------- C:\Program Files\EasyDVDClone
2008-06-28 18:47 . 2008-06-28 18:47 <DIR> d-------- C:\Program Files\Alky for Applications
2008-06-28 18:46 . 2008-06-28 18:46 <DIR> d-------- C:\Program Files\Uniblue
2008-06-28 18:46 . 2008-07-04 15:49 <DIR> d-------- C:\Program Files\SPSSEVAL
2008-06-28 18:46 . 2008-06-28 18:46 <DIR> d-------- C:\Program Files\nLite
2008-06-28 09:29 . 2008-06-28 09:29 2,540 --a------ C:\WINDOWS\unins000.dat
2008-06-28 08:49 . 2008-07-02 07:19 110,442 --a------ C:\WINDOWS\BMc7b2e12e.xml
2008-06-27 17:40 . 2008-06-29 13:10 <DIR> d-------- C:\WINDOWS\system32\modtrux05
2008-06-27 17:40 . 2008-06-27 17:40 <DIR> d-------- C:\Temp\syschk3
2008-06-27 17:40 . 2008-06-27 17:40 <DIR> d-------- C:\Temp
2008-06-27 17:40 . 2008-06-27 17:49 <DIR> d--hs---- C:\Documents and Settings\Admin\!
2008-06-25 20:35 . 2008-06-25 20:35 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-06-19 20:36 . 2008-06-19 20:36 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\dvdcss
2008-06-19 13:41 . 2008-06-19 20:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 09:44 . 2008-06-19 09:44 <DIR> d-------- C:\Program Files\Xilisoft
2008-06-19 09:40 . 2008-06-19 09:40 <DIR> d-------- C:\WINDOWS\system32\quicktime
2008-06-19 09:40 . 2008-06-19 09:40 <DIR> d-------- C:\Program Files\AVI Movie Player
2008-06-19 09:19 . 2006-10-04 07:06 1,197,294 --a------ C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-06-19 09:19 . 2006-10-04 07:06 764,868 --a------ C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-06-19 09:19 . 2006-10-04 07:06 217,118 --a------ C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-06-15 12:03 . 2008-06-15 12:03 <DIR> d-------- C:\Program Files\BitTorrent
2008-06-12 12:41 . 2008-06-12 12:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-11 11:55 . 2008-06-11 11:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-11 03:02 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 03:02 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 03:02 . 2008-05-08 05:14 203,008 --a------ C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 02:22 . 2008-06-28 19:39 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\LimeWire
2008-06-07 14:19 . 2008-07-04 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-07 14:19 . 2008-06-07 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 05:22 --------- d-----w C:\Documents and Settings\Admin\Application Data\DNA
2008-07-03 01:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-01 18:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-01 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-06-29 02:39 --------- d-----w C:\Documents and Settings\Admin\Application Data\FrostWire
2008-06-23 17:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\BitTorrent
2008-06-11 10:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-07 21:11 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVGTOOLBAR
2008-05-27 01:25 --------- d-----w C:\Documents and Settings\Admin\Application Data\ExplorerPlus
2008-05-27 01:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-27 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
2008-05-27 00:56 --------- d-----w C:\Program Files\PowerISO
2008-05-27 00:49 --------- d-----w C:\Program Files\DNA
2008-05-24 19:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-24 19:44 --------- d-----w C:\Program Files\Bethesda Softworks
2008-05-24 19:32 --------- d-----w C:\Program Files\Fox
2008-05-24 18:31 --------- d-----w C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-05-24 18:29 --------- d-----w C:\Program Files\BitLord
2008-05-24 18:20 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-24 00:01 --------- d-----w C:\Program Files\Java
2008-05-24 00:01 --------- d-----w C:\Program Files\Common Files\Java
2008-05-23 10:12 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback
2008-05-23 10:10 --------- d-----w C:\Program Files\Opera
2008-05-23 10:06 --------- d-----w C:\Program Files\BlackXP
2008-05-22 22:09 --------- d-----w C:\Program Files\MSBuild
2008-05-22 22:09 --------- d-----w C:\Program Files\Microsoft Works
2008-05-22 22:03 --------- d-----w C:\Documents and Settings\Admin\Application Data\Nero
2008-05-22 20:41 --------- d-----w C:\Program Files\Tiger System Preferences v2
2008-05-22 20:33 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-22 20:33 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\TuneUp Software
2008-05-22 20:33 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-05-22 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-22 20:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\TuneUp Software
2008-05-22 20:32 --------- d-----w C:\Program Files\BackupFox
2008-05-22 20:28 --------- d-----w C:\Program Files\Utilities
2008-05-22 20:26 --------- d-----w C:\Program Files\Microsoft Games
2008-05-22 20:25 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\uTorrent
2008-05-22 20:25 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-22 20:25 --------- d-----w C:\Program Files\Driver-Soft
2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-22 08:02 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 08:02 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 08:02 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.
------- Sigcheck -------
2007-12-28 06:39 2221824 86889d12db125d402d618ed36bf7e166 C:\WINDOWS\system32\ntkrnlpa.exe
2007-12-28 06:34 2345216 31610d15a02ce89554172a03e5268efa C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-04_15.57.20.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 22:53:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-05 05:24:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-04 22:19:10 59,842 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-04 22:57:37 59,842 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-04 22:19:10 395,768 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-04 22:57:37 395,768 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-05 05:24:50 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-26 17:49 289088]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 13:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-10 12:22 1260296]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"Uniblue SpeedUpMyPC"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 08:13 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 08:13 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 08:13 137752]
"VistaDrive"="C:\WINDOWS\VistaDrive.exe" [2007-10-11 16:19 1596230]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 16:50 233472]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 13:23 1232152]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [BU]
"BMc7b2e12e"="C:\WINDOWS\system32\adbwreua.dll" [BU]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 02:50 16855552 C:\WINDOWS\RTHDCPL.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R0 iastor76;iastor76;C:\WINDOWS\system32\drivers\iastor76.sys [2007-12-28 07:10]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 13:22]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 13:23]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-03 13:00]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-22 13:33]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-05 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-06-29 02:39:24 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{236bd960-2fab-4645-9bc1-dae85904734e} - (no file)
WebBrowser-{236BD960-2FAB-4645-9BC1-DAE85904734E} - (no file)
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 22:28:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-04 22:30:33
ComboFix-quarantined-files.txt 2008-07-05 05:30:31
ComboFix2.txt 2008-07-04 22:57:42
Pre-Run: 49,652,072,448 bytes free
Post-Run: 49,672,613,888 bytes free
190 --- E O F --- 2008-07-01 20:38:35
-----------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31:51, on 04/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VistaDrive.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {236bd960-2fab-4645-9bc1-dae85904734e} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive.exe /NOTRAY
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BMc7b2e12e] Rundll32.exe "C:\WINDOWS\system32\adbwreua.dll",s
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 6434 bytes
shelf life
2008-07-05, 02:47
hi di1985,
ok thanks for the info. we will use combofix again:
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
C:\WINDOWS\BMc7b2e12e.xml
C:\WINDOWS\system32\cwxsybiq.ini
Folder::
C:\WINDOWS\system32\modtrux05
C:\Temp\syschk3
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMc7b2e12e"="-
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.
Thanks,
ComboFix 08-07-03.5 - Admin 2008-07-05 9:19:44.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.550 [GMT -7:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BMc7b2e12e.xml
C:\WINDOWS\system32\cwxsybiq.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\syschk3
C:\WINDOWS\BMc7b2e12e.xml
C:\WINDOWS\system32\cwxsybiq.ini
C:\WINDOWS\system32\modtrux05
.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.
2008-07-04 15:53 . 2008-07-04 15:53 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-04 15:53 . 2008-07-04 15:53 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-30 21:40 . 2008-06-30 21:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 13:10 . 2008-07-04 15:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-29 12:01 . 2008-07-04 13:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-29 12:01 . 2008-07-02 09:52 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-06-29 12:01 . 2008-07-04 13:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-29 12:00 . 2008-07-04 13:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-29 12:00 . 2008-06-29 12:00 <DIR> d-------- C:\Program Files\AVG
2008-06-29 11:00 . 2008-06-29 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-28 20:08 . 2008-07-02 20:01 500 --a------ C:\WINDOWS\wininit.ini
2008-06-28 19:56 . 2008-06-28 19:57 <DIR> d-------- C:\Program Files\Kontiki
2008-06-28 19:55 . 2008-06-28 19:55 <DIR> d-------- C:\Program Files\Channel4
2008-06-28 19:13 . 2008-06-28 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-28 19:12 . 2008-06-28 19:12 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2008-06-28 18:47 . 2008-06-28 18:47 <DIR> d-------- C:\Program Files\EasyDVDClone
2008-06-28 18:47 . 2008-06-28 18:47 <DIR> d-------- C:\Program Files\Alky for Applications
2008-06-28 18:46 . 2008-06-28 18:46 <DIR> d-------- C:\Program Files\Uniblue
2008-06-28 18:46 . 2008-07-04 15:49 <DIR> d-------- C:\Program Files\SPSSEVAL
2008-06-28 18:46 . 2008-06-28 18:46 <DIR> d-------- C:\Program Files\nLite
2008-06-28 09:29 . 2008-06-28 09:29 2,540 --a------ C:\WINDOWS\unins000.dat
2008-06-27 17:40 . 2008-07-05 09:19 <DIR> d-------- C:\Temp
2008-06-27 17:40 . 2008-06-27 17:49 <DIR> d--hs---- C:\Documents and Settings\Admin\!
2008-06-25 20:35 . 2008-06-25 20:35 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-06-19 20:36 . 2008-06-19 20:36 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\dvdcss
2008-06-19 13:41 . 2008-06-19 20:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 09:44 . 2008-06-19 09:44 <DIR> d-------- C:\Program Files\Xilisoft
2008-06-19 09:40 . 2008-06-19 09:40 <DIR> d-------- C:\WINDOWS\system32\quicktime
2008-06-19 09:40 . 2008-06-19 09:40 <DIR> d-------- C:\Program Files\AVI Movie Player
2008-06-19 09:19 . 2006-10-04 07:06 1,197,294 --a------ C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-06-19 09:19 . 2006-10-04 07:06 764,868 --a------ C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-06-19 09:19 . 2006-10-04 07:06 217,118 --a------ C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-06-15 12:03 . 2008-06-15 12:03 <DIR> d-------- C:\Program Files\BitTorrent
2008-06-12 12:41 . 2008-06-12 12:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-11 11:55 . 2008-06-11 11:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-11 03:02 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 03:02 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 03:02 . 2008-05-08 05:14 203,008 --a------ C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 02:22 . 2008-06-28 19:39 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\LimeWire
2008-06-07 14:19 . 2008-07-05 09:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-07 14:19 . 2008-06-07 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 06:34 --------- d-----w C:\Documents and Settings\Admin\Application Data\DNA
2008-07-03 01:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-01 18:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-01 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-06-29 02:39 --------- d-----w C:\Documents and Settings\Admin\Application Data\FrostWire
2008-06-23 17:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\BitTorrent
2008-06-11 10:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-07 21:11 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVGTOOLBAR
2008-05-27 01:25 --------- d-----w C:\Documents and Settings\Admin\Application Data\ExplorerPlus
2008-05-27 01:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-27 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
2008-05-27 00:56 --------- d-----w C:\Program Files\PowerISO
2008-05-27 00:49 --------- d-----w C:\Program Files\DNA
2008-05-24 19:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-24 19:44 --------- d-----w C:\Program Files\Bethesda Softworks
2008-05-24 19:32 --------- d-----w C:\Program Files\Fox
2008-05-24 18:31 --------- d-----w C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-05-24 18:29 --------- d-----w C:\Program Files\BitLord
2008-05-24 18:20 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-24 00:01 --------- d-----w C:\Program Files\Java
2008-05-24 00:01 --------- d-----w C:\Program Files\Common Files\Java
2008-05-23 10:12 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback
2008-05-23 10:10 --------- d-----w C:\Program Files\Opera
2008-05-23 10:06 --------- d-----w C:\Program Files\BlackXP
2008-05-22 22:09 --------- d-----w C:\Program Files\MSBuild
2008-05-22 22:09 --------- d-----w C:\Program Files\Microsoft Works
2008-05-22 22:03 --------- d-----w C:\Documents and Settings\Admin\Application Data\Nero
2008-05-22 20:41 --------- d-----w C:\Program Files\Tiger System Preferences v2
2008-05-22 20:33 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-22 20:33 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\TuneUp Software
2008-05-22 20:33 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-05-22 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-22 20:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\TuneUp Software
2008-05-22 20:32 --------- d-----w C:\Program Files\BackupFox
2008-05-22 20:28 --------- d-----w C:\Program Files\Utilities
2008-05-22 20:26 --------- d-----w C:\Program Files\Microsoft Games
2008-05-22 20:25 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\uTorrent
2008-05-22 20:25 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-22 20:25 --------- d-----w C:\Program Files\Driver-Soft
2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-22 08:02 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 08:02 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 08:02 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.
------- Sigcheck -------
2007-12-28 06:39 2221824 86889d12db125d402d618ed36bf7e166 C:\WINDOWS\system32\ntkrnlpa.exe
2007-12-28 06:34 2345216 31610d15a02ce89554172a03e5268efa C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-04_15.57.20.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 22:53:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-05 16:09:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-04 22:19:10 59,842 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-05 16:14:40 59,842 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-04 22:19:10 395,768 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-05 16:14:40 395,768 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-05 16:10:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-26 17:49 289088]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 13:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-10 12:22 1260296]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"Uniblue SpeedUpMyPC"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 08:13 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 08:13 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 08:13 137752]
"VistaDrive"="C:\WINDOWS\VistaDrive.exe" [2007-10-11 16:19 1596230]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 16:50 233472]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 13:23 1232152]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [BU]
"BMc7b2e12e"="C:\WINDOWS\system32\adbwreua.dll" [BU]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 02:50 16855552 C:\WINDOWS\RTHDCPL.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R0 iastor76;iastor76;C:\WINDOWS\system32\drivers\iastor76.sys [2007-12-28 07:10]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 13:22]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 13:23]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-03 13:00]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-22 13:33]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-07-05 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-06-29 02:39:24 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 09:20:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-05 9:20:41
ComboFix-quarantined-files.txt 2008-07-05 16:20:39
ComboFix2.txt 2008-07-05 16:15:43
ComboFix3.txt 2008-07-05 05:30:34
ComboFix4.txt 2008-07-04 22:57:42
Pre-Run: 49,651,867,648 bytes free
Post-Run: 49,644,892,160 bytes free
196 --- E O F --- 2008-07-01 20:38:35
----------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22:17, on 05/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VistaDrive.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {236bd960-2fab-4645-9bc1-dae85904734e} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive.exe /NOTRAY
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BMc7b2e12e] Rundll32.exe "C:\WINDOWS\system32\adbwreua.dll",s
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 6435 bytes
shelf life
2008-07-05, 16:04
hi di1985,
thanks for the info. we will use hjt and get one more download to use. first make sure that spybots tea timer is still disabled.
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
R3 - URLSearchHook: (no name) - {236bd960-2fab-4645-9bc1-dae85904734e} - (no file)
O4 - HKLM\..\Run: [BMc7b2e12e] Rundll32.exe "C:\WINDOWS\system32\adbwreua.dll",s
--------------------------
the download:
Please download Malwarebytes' Anti-Malware to your desktop:
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
post the malwarebytes log and a new hjt log please. copy/paste them in your reply
Thanks(again!)
Malwarebytes' Anti-Malware 1.19
Database version: 922
Windows 5.1.2600 Service Pack 2
18:19:53 05/07/2008
mbam-log-7-5-2008 (18-19-53).txt
Scan type: Full Scan (C:\|)
Objects scanned: 117549
Time elapsed: 31 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Admin\My Documents\keys\Lightromm 1.3\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{26484186-5545-4D89-A7B3-4BA45CD4437C}\RP6\A0009587.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:21:02, on 05/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VistaDrive.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive.exe /NOTRAY
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 6414 bytes
shelf life
2008-07-05, 22:14
hi,
ok good. hows it all looking on your end now? if all is good we can remove some of the tools we used.
oh yes, the net has been working ever since i started deleting cftmon(or something similar) from applications. But finally allowing me to update windows too which i gues is the biggest struggle i experienced aswell as keeping auto updates on!
THANKS! So shall i just remove everything the usual way!? Should I just keep spybot and avg?
YOU'RE A STAR!! I was really worried Id have to send the comp away!!:crowned:
shelf life
2008-07-06, 02:27
hi,
ok good. your welcome.
read this links about: ctfmon.exe
http://support.microsoft.com/kb/282599
you have spybot, ad aware, spyeraser, AVG (which includes anti-malware)and malwarebytes. more dosnt equal better protection.
i would keep avg since it includes antivirus. I would remove two of the others via the add/remove programs panel. two along with avg is plenty.
to remove combofix: we will get another download that will do it automatically for you:
Please download the OTMoveIt2 by OldTimer.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Please double-click OTMoveIt2.exe to run it.
click the CleanUp! button and follow the prompts.
--------------------------------
java:
Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.
It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites/exploits that can be taken advantage of to possibly introduce malware via your browser.
* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.
to check if you have the latest version of Java and to download the latest version:
http://www.java.com/en/download/installed.jsp
----------------------------
system restore:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
Thanks, i am unable to locate adaware in add or remove programs and spy eraser will not uninstall as it says the files doesnt exist :s
shelf life
2008-07-08, 00:22
hi,
ok. i saw the ad aware service in the earlier hjt log, dont see it now.
if you look here:C:\Program Files\ do you see the Uniblue folder. anything in the folder? maybe it left a folder behind, iam going by this:
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe