View Full Version : Another Virtuemonde victim.
Hals1967
2008-07-21, 04:59
Help, my PC is infected with Virtumonde, it's opening web pages by itself etc.
Here's my HiJack this log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:54:49, on 21/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {3c01fa48-a040-411a-b6d0-9fc4ba7a2e9e} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7EBB7DA6-2369-450D-980F-9A2311A99ACF} - C:\WINDOWS\system32\mlJBRiFU.dll
O2 - BHO: (no name) - {856D430C-5196-48C3-A6B5-3E97B186084F} - C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
O2 - BHO: (no name) - {9CA86D87-8621-4888-B7F0-EBB4F1617B19} - C:\WINDOWS\system32\nnnkJYrs.dll
O2 - BHO: (no name) - {C4B2F598-F5DC-4B96-8E23-B7DE4839CF26} - (no file)
O2 - BHO: {4cc38f9a-31a1-9ce9-3924-986ce0bc3cbc} - {cbc3cb0e-c689-4293-9ec9-1a13a9f83cc4} - C:\WINDOWS\system32\ryqlai.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [409ecb42] rundll32.exe "C:\WINDOWS\system32\cxquqife.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8357] command /c del "C:\WINDOWS\system32\mlJBRiFU.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8624] cmd /c del "C:\WINDOWS\system32\mlJBRiFU.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6905] command /c del "C:\WINDOWS\system32\mlJBRiFU.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5125] cmd /c del "C:\WINDOWS\system32\mlJBRiFU.dll"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200728085715
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200728061871
O20 - Winlogon Notify: mlJBRiFU - C:\WINDOWS\SYSTEM32\mlJBRiFU.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 9922 bytes
Hals1967
2008-07-21, 13:49
Hi again.
I've renamed HiJack this.exe to Hals1967.exe and here's the new logfile.
Please help !
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:37, on 21/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\Hals1967.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {3c01fa48-a040-411a-b6d0-9fc4ba7a2e9e} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7EBB7DA6-2369-450D-980F-9A2311A99ACF} - C:\WINDOWS\system32\mlJBRiFU.dll
O2 - BHO: (no name) - {856D430C-5196-48C3-A6B5-3E97B186084F} - C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
O2 - BHO: (no name) - {BAC87812-3519-46D8-88F5-4675F11BBF8B} - C:\WINDOWS\system32\nnnkJYrs.dll
O2 - BHO: (no name) - {C4B2F598-F5DC-4B96-8E23-B7DE4839CF26} - (no file)
O2 - BHO: {4cc38f9a-31a1-9ce9-3924-986ce0bc3cbc} - {cbc3cb0e-c689-4293-9ec9-1a13a9f83cc4} - C:\WINDOWS\system32\ryqlai.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [409ecb42] rundll32.exe "C:\WINDOWS\system32\cxquqife.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8357] command /c del "C:\WINDOWS\system32\mlJBRiFU.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8624] cmd /c del "C:\WINDOWS\system32\mlJBRiFU.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6905] command /c del "C:\WINDOWS\system32\mlJBRiFU.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5125] cmd /c del "C:\WINDOWS\system32\mlJBRiFU.dll"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200728085715
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200728061871
O20 - Winlogon Notify: mlJBRiFU - C:\WINDOWS\SYSTEM32\mlJBRiFU.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 9719 bytes
Hi Hals1967
If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
Click on Mode > Advanced Mode. When it prompts you, click Yes.
On the left hand side, click on Tools.
Check (tick) this box if it is not yet ticked: Resident.
You will notice that Resident is now added under Tools. Click on Resident.
Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
Exit Spybot Search & Destroy.
Restart your computer for the changes to take effect.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Post:
- a fresh HijackThis log
- combofix report
Hals1967
2008-07-24, 21:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:39:07, on 24/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Hals1967.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0E6414D9-D1AB-43FF-8C53-7382F788F778} - C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {856D430C-5196-48C3-A6B5-3E97B186084F} - C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
O2 - BHO: (no name) - {98E1C35B-1203-477E-8019-35BC336897B0} - C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
O2 - BHO: (no name) - {B686C1EE-AD50-4151-BE86-49767C2D579B} - C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [409ecb42] rundll32.exe "C:\WINDOWS\system32\cxquqife.dll",b
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\tcnrpuqe.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200728085715
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200728061871
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 8966 bytes
--------------------------------------------------------------------------
ComboFix 08-07-23.5 - User 2008-07-24 19:33:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1031 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.
2008-07-22 21:41 . 2008-07-22 21:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-22 21:41 . 2008-07-22 21:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 19:10 . 2008-07-22 19:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-21 02:54 . 2008-07-21 02:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 21:44 . 2008-07-21 02:42 <DIR> d-------- C:\Documents and Settings\2846
2008-07-20 21:41 . 2008-07-22 18:36 588 --a------ C:\WINDOWS\wininit.ini
2008-07-20 21:21 . 2008-07-22 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 22:06 . 2008-07-09 22:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-07-09 22:06 . 2008-07-09 22:06 <DIR> d-------- C:\WINDOWS\Logs
2008-07-07 22:03 . 2008-07-07 22:03 <DIR> d-------- C:\Program Files\Common Files\merlin
2008-07-07 22:02 . 2008-07-23 20:34 <DIR> d-------- C:\Battle of Britain II
2008-07-06 13:11 . 2008-07-06 13:12 <DIR> d-------- C:\Program Files\Philips
2008-07-06 13:11 . 2008-07-06 13:11 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 18:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-24 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-22 19:48 --------- d-----w C:\Program Files\Tabs
2008-07-20 02:04 --------- d-----w C:\Documents and Settings\User\Application Data\Azureus
2008-07-14 17:36 --------- d-----w C:\Program Files\Java
2008-07-06 12:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 01:56 --------- d-----w C:\Program Files\BC & FC losses 1939-45
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 13:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 13:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 13:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 13:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 13:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 13:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 13:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 13:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 13:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 13:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 13:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 20:13 --------- d-----w C:\Program Files\ThirdWire
2008-06-06 20:31 --------- d-----w C:\Program Files\Azureus
2008-06-06 20:02 --------- d-----w C:\Program Files\Common Files\Java
2008-06-05 13:00 74,840 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2008-06-03 16:39 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 16:39 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-03 16:39 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 16:39 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 16:39 --------- d-----w C:\Program Files\Symantec
2008-06-02 18:25 --------- d-----w C:\Documents and Settings\User\Application Data\Canon
2008-05-30 13:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 13:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 13:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 13:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 13:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 13:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 13:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-06 01:17 61 --sh--w C:\WINDOWS\cnerolf.dat
2008-01-19 08:28 32 --sha-w C:\WINDOWS\{F2476FB1-2283-438F-A5B0-1AE4FB22B509}.dat
2008-01-19 08:28 32 --sha-w C:\WINDOWS\system32\{066077AC-666E-4E4C-9209-22D1C1039028}.dat
2008-01-11 15:03 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-01-11 15:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-01-11 15:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008011120080112\index.dat
2008-01-11 15:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E6414D9-D1AB-43FF-8C53-7382F788F778}]
2008-07-20 23:21 91648 --a------ C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{856D430C-5196-48C3-A6B5-3E97B186084F}]
2008-07-20 23:21 91648 --a------ C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B686C1EE-AD50-4151-BE86-49767C2D579B}]
2008-07-20 23:21 91648 --a------ C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 07:35 7634944]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 17:10 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"409ecb42"="C:\WINDOWS\system32\cxquqife.dll" [BU]
"BM43adf8de"="C:\WINDOWS\system32\tcnrpuqe.dll" [BU]
"P17Helper"="P17.dll" [2005-05-03 12:38 64512 C:\WINDOWS\system32\P17.dll]
"NvMediaCenter"="NvMCTray.dll" [2006-10-31 07:35 86016 C:\WINDOWS\system32\nvmctray.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 00000000
"NoUserNameInStartMenu"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-07-30 10:45 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-31 07:35 7634944 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-31 07:35 86016 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
--------- 2007-07-30 10:45 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-06-29 02:03 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 11:42 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 12:38 866816 C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
--------- 2004-06-08 19:33 69721 C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-31 07:35 1622016 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-08-01 12:10 16049664 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 14:15]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{654c0926-c625-11dc-8706-806d6172696f}]
\Shell\AutoRun\command - D:\Bin\assetup.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 19:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 19:36:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-24 19:37:57
ComboFix-quarantined-files.txt 2008-07-24 18:37:38
Pre-Run: 76,986,068,992 bytes free
Post-Run: 77,042,954,240 bytes free
188 --- E O F --- 2008-07-09 23:11:09
Hi
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
Folder::
C:\Documents and Settings\2846
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E6414D9-D1AB-43FF-8C53-7382F788F778}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{856D430C-5196-48C3-A6B5-3E97B186084F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B686C1EE-AD50-4151-BE86-49767C2D579B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"409ecb42"=-
"BM43adf8de"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Hals1967
2008-07-24, 22:53
ComboFix 08-07-23.5 - User 2008-07-24 20:46:05.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1001 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
C:\Documents and Settings\2846 :#:
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\2846\Local Settings\Temporary Internet Files\Content.IE5\U8JUE4V7\3077ahntdksr[1].dll
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.
2008-07-22 21:41 . 2008-07-22 21:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-22 21:41 . 2008-07-22 21:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 19:10 . 2008-07-22 19:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-21 02:54 . 2008-07-21 02:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 21:44 . 2008-07-21 02:42 <DIR> d-------- C:\Documents and Settings\2846
2008-07-20 21:41 . 2008-07-22 18:36 588 --a------ C:\WINDOWS\wininit.ini
2008-07-20 21:21 . 2008-07-22 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 22:06 . 2008-07-09 22:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-07-09 22:06 . 2008-07-09 22:06 <DIR> d-------- C:\WINDOWS\Logs
2008-07-07 22:03 . 2008-07-07 22:03 <DIR> d-------- C:\Program Files\Common Files\merlin
2008-07-07 22:02 . 2008-07-23 20:34 <DIR> d-------- C:\Battle of Britain II
2008-07-06 13:11 . 2008-07-06 13:12 <DIR> d-------- C:\Program Files\Philips
2008-07-06 13:11 . 2008-07-06 13:11 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 18:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-24 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-22 19:48 --------- d-----w C:\Program Files\Tabs
2008-07-20 02:04 --------- d-----w C:\Documents and Settings\User\Application Data\Azureus
2008-07-14 17:36 --------- d-----w C:\Program Files\Java
2008-07-06 12:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 01:56 --------- d-----w C:\Program Files\BC & FC losses 1939-45
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 13:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 13:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 13:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 13:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 13:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 13:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 13:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 13:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 13:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 13:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 13:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 20:13 --------- d-----w C:\Program Files\ThirdWire
2008-06-06 20:31 --------- d-----w C:\Program Files\Azureus
2008-06-06 20:02 --------- d-----w C:\Program Files\Common Files\Java
2008-06-05 13:00 74,840 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2008-06-03 16:39 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 16:39 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-03 16:39 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 16:39 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 16:39 --------- d-----w C:\Program Files\Symantec
2008-06-02 18:25 --------- d-----w C:\Documents and Settings\User\Application Data\Canon
2008-05-30 13:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 13:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 13:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 13:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 13:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 13:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 13:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-06 01:17 61 --sh--w C:\WINDOWS\cnerolf.dat
2008-01-19 08:28 32 --sha-w C:\WINDOWS\{F2476FB1-2283-438F-A5B0-1AE4FB22B509}.dat
2008-01-19 08:28 32 --sha-w C:\WINDOWS\system32\{066077AC-666E-4E4C-9209-22D1C1039028}.dat
2008-01-11 15:03 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-01-11 15:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-01-11 15:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008011120080112\index.dat
2008-01-11 15:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 07:35 7634944]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 17:10 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"P17Helper"="P17.dll" [2005-05-03 12:38 64512 C:\WINDOWS\system32\P17.dll]
"NvMediaCenter"="NvMCTray.dll" [2006-10-31 07:35 86016 C:\WINDOWS\system32\nvmctray.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 00000000
"NoUserNameInStartMenu"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-07-30 10:45 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-31 07:35 7634944 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-31 07:35 86016 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
--------- 2007-07-30 10:45 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-06-29 02:03 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 11:42 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 12:38 866816 C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
--------- 2004-06-08 19:33 69721 C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-31 07:35 1622016 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-08-01 12:10 16049664 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 14:15]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{654c0926-c625-11dc-8706-806d6172696f}]
\Shell\AutoRun\command - D:\Bin\assetup.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 19:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 20:47:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-24 20:48:05
ComboFix-quarantined-files.txt 2008-07-24 19:47:46
ComboFix2.txt 2008-07-24 18:37:59
Pre-Run: 76,966,928,384 bytes free
Post-Run: 77,010,698,240 bytes free
184 --- E O F --- 2008-07-09 23:11:09
----------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48:54, on 24/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Hals1967.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200728085715
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200728061871
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 8086 bytes
Hi
Looks like there was one error :oops:
Open notepad and copy/paste the text in the quotebox below into it:
DeQuarantine::
C:\Documents and Settings\2846
Quit::
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Hals1967
2008-07-25, 16:41
ComboFix 08-07-23.5 - User 2008-07-25 14:29:47.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1056 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.
2008-07-22 21:41 . 2008-07-22 21:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-22 21:41 . 2008-07-22 21:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 19:10 . 2008-07-22 19:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-21 02:54 . 2008-07-21 02:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 21:44 . 2008-07-21 02:42 <DIR> d-------- C:\Documents and Settings\2846
2008-07-20 21:41 . 2008-07-22 18:36 588 --a------ C:\WINDOWS\wininit.ini
2008-07-20 21:21 . 2008-07-22 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 22:06 . 2008-07-09 22:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-07-09 22:06 . 2008-07-09 22:06 <DIR> d-------- C:\WINDOWS\Logs
2008-07-07 22:03 . 2008-07-07 22:03 <DIR> d-------- C:\Program Files\Common Files\merlin
2008-07-07 22:02 . 2008-07-23 20:34 <DIR> d-------- C:\Battle of Britain II
2008-07-06 13:11 . 2008-07-06 13:12 <DIR> d-------- C:\Program Files\Philips
2008-07-06 13:11 . 2008-07-06 13:11 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 13:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-25 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-22 19:48 --------- d-----w C:\Program Files\Tabs
2008-07-20 02:04 --------- d-----w C:\Documents and Settings\User\Application Data\Azureus
2008-07-14 17:36 --------- d-----w C:\Program Files\Java
2008-07-06 12:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 01:56 --------- d-----w C:\Program Files\BC & FC losses 1939-45
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 13:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 13:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 13:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 13:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 13:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 13:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 13:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 13:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 13:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 13:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 13:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 20:13 --------- d-----w C:\Program Files\ThirdWire
2008-06-06 20:31 --------- d-----w C:\Program Files\Azureus
2008-06-06 20:02 --------- d-----w C:\Program Files\Common Files\Java
2008-06-05 13:00 74,840 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2008-06-03 16:39 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 16:39 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-03 16:39 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 16:39 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 16:39 --------- d-----w C:\Program Files\Symantec
2008-06-02 18:25 --------- d-----w C:\Documents and Settings\User\Application Data\Canon
2008-05-30 13:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 13:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 13:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 13:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 13:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 13:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 13:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-06 01:17 61 --sh--w C:\WINDOWS\cnerolf.dat
2008-01-19 08:28 32 --sha-w C:\WINDOWS\{F2476FB1-2283-438F-A5B0-1AE4FB22B509}.dat
2008-01-19 08:28 32 --sha-w C:\WINDOWS\system32\{066077AC-666E-4E4C-9209-22D1C1039028}.dat
2008-01-11 15:03 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-01-11 15:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-01-11 15:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008011120080112\index.dat
2008-01-11 15:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 07:35 7634944]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 17:10 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"P17Helper"="P17.dll" [2005-05-03 12:38 64512 C:\WINDOWS\system32\P17.dll]
"NvMediaCenter"="NvMCTray.dll" [2006-10-31 07:35 86016 C:\WINDOWS\system32\nvmctray.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 00000000
"NoUserNameInStartMenu"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-07-30 10:45 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-31 07:35 7634944 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-31 07:35 86016 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
--------- 2007-07-30 10:45 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-06-29 02:03 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 11:42 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 12:38 866816 C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
--------- 2004-06-08 19:33 69721 C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-31 07:35 1622016 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-08-01 12:10 16049664 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 14:15]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{654c0926-c625-11dc-8706-806d6172696f}]
\Shell\AutoRun\command - D:\Bin\assetup.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 19:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 14:32:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-25 14:36:47
ComboFix-quarantined-files.txt 2008-07-25 13:36:01
ComboFix2.txt 2008-07-24 19:48:06
ComboFix3.txt 2008-07-24 18:37:59
Pre-Run: 76,975,099,904 bytes free
Post-Run: 76,972,445,696 bytes free
177 --- E O F --- 2008-07-09 23:11:09
--------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37:20, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Hals1967.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200728085715
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200728061871
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 8218 bytes
Hi
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.