PDA

View Full Version : Problems with removing Virtumonde - pls help:)



Pablo86
2008-09-08, 22:32
Hi,

I'm new here:) SpybotSD detected on my computer "Virtumonde", but, as in other cases described here, coudn't remove it. I have no idea haw to do this, and that's why I'm here:)

I've downloaded some of cleaning programs and run them, I've also run Spybot several times (what's intresting, normally it was unable to remove at least one file of "Virtumonde", but once it removed all detected threats..), but I'm almost sure, that Virtumonde still exist on my machine:( If it isn't Virtumonde, than it must be sth else, but I'm sure that there is something.

I've read a little about this problem on this forum and it seems to be quite difficult to solve for me, so if anyone can help, I would be really grateful.

BTW excuse me any language mistakes:)

Here is log from HJT: (I've renamed it into Pablo86, as it was advised in some posts).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:31:33, on 2008-09-08
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\Pablo86.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.acdsystems.com/products/acdsee/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54E34C72-CBB2-4797-992D-BEF406F35DC3} - D:\WINDOWS\system32\vdmsedir.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A136B075-64C1-4F6F-AF29-4D2075B5014A} - (no file)
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - (no file)
O2 - BHO: (no name) - {E3B9766D-F656-44E2-89E9-EBCDD9078802} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O20 - Winlogon Notify: yayAsQiF - D:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4353 bytes

pskelley
2008-09-10, 15:30
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I've downloaded some of cleaning programs and run them
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

I've also run Spybot several times
Please be sure Spybot S&D is up to date and fully immunized.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html

If you still need help we will start like this.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Gracias

Pablo86
2008-09-10, 17:01
Hi,

thank you for taking care of my computer:)

Here are the logs from Combofix and HJT. I don't know if it's important, but when Combofix was preparing a log, it shown a message like "temp07 cannot find this file" (or sth like that, I'm not sure, becouse it was to fast for me).


ComboFix 08-09-05.14 - Paweł 2008-09-10 15:52:40.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.100 [GMT 2:00]
Running from: D:\Documents and Settings\Paweł\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.

2008-09-09 16:34 . 2008-09-09 16:34 <DIR> d--hs---- D:\FOUND.062
2008-09-08 20:34 . 2008-09-08 20:34 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-08 20:34 . 2008-09-08 20:34 <DIR> d-------- D:\Documents and Settings\Paweł\Dane aplikacji\Malwarebytes
2008-09-08 20:34 . 2008-09-08 20:34 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-09-08 20:34 . 2008-09-08 00:11 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-08 20:34 . 2008-09-08 00:11 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 13:52 . <DIR> D:\Documents and Settings\Pawe-
2008-09-08 13:32 . 2008-09-08 13:32 <DIR> d-------- D:\Program Files\Trend Micro
2008-09-07 13:22 . 2008-09-07 16:15 1,355 --a------ D:\WINDOWS\imsins.BAK
2008-09-07 12:18 . 2008-09-07 12:18 <DIR> d-------- D:\WINDOWS\system32\CatRoot_bak
2008-09-07 12:03 . 2008-09-07 12:03 <DIR> d-------- D:\Guitar Pro 4
2008-09-07 12:03 . 2008-09-07 12:03 <DIR> d-------- D:\Corel
2008-09-06 10:47 . 2008-09-06 10:47 <DIR> d-------- D:\Program Files\OOD2KFRE
2008-09-05 10:40 . 2008-09-05 10:40 <DIR> d--hs---- D:\FOUND.061

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 20:33 253,952 ----a-w D:\WINDOWS\system32\es.dll
2008-07-07 20:33 253,952 ----a-w D:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:24 74,240 ----a-w D:\WINDOWS\system32\mscms.dll
2008-06-24 16:24 74,240 ----a-w D:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:49 18,432 ----a-w D:\WINDOWS\system32\dllcache\iedw.exe
2008-06-20 17:42 246,784 ----a-w D:\WINDOWS\system32\mswsock.dll
2008-06-20 17:42 246,784 ----a-w D:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:42 148,992 ----a-w D:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w D:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w D:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:01 273,024 ------w D:\WINDOWS\system32\dllcache\bthport.sys
2002-11-04 12:54 3,392 ----a-w D:\WINDOWS\inf\OTHER\cmiainfo.sys
.

((((((((((((((((((((((((((((( snapshot@2008-09-08_13.51.11.82 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"MSConfig"="D:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayAsQiF]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Corel MEDIA FOLDERS INDEXER 8.LNK]
path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Corel MEDIA FOLDERS INDEXER 8.LNK
backup=D:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^WinZip Quick Pick.lnk]
path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\WinZip Quick Pick.lnk
backup=D:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart]
--a------ 2006-01-26 17:21 4857856 D:\Emule\emule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
--a------ 2007-07-09 08:39 2119104 D:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 D:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-08-18 18:41 1832272 D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Emule\\emule.exe"=
"D:\\Program Files\\Gadu-Gadu\\gg.exe"=
"D:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"=
"D:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"=
"D:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\UT2004Demo\\System\\UT2004.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{54E34C72-CBB2-4797-992D-BEF406F35DC3} - (no file)
BHO-{A136B075-64C1-4F6F-AF29-4D2075B5014A} - (no file)
BHO-{E3B9766D-F656-44E2-89E9-EBCDD9078802} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\nuroyleq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - GOOGLE.PL
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPBILLARD8.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPPOKER.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPSNOOKER.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - D:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 15:54:47
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

D:\WINDOWS\EXPLORER.EXE [1532] 0x824E9460

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-10 15:55:44
ComboFix-quarantined-files.txt 2008-09-10 13:55:40
ComboFix3.txt 2008-09-08 11:52:36
ComboFix2.txt 2008-09-08 12:23:44

Pre-Run: 10,180,870,144 bajtów wolnych
Post-Run: 10,178,560,000 bajtów wolnych

133 --- E O F --- 2008-09-07 14:16:15





And HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:00:49, on 2008-09-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\Pablo86.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.acdsystems.com/products/acdsee/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54E34C72-CBB2-4797-992D-BEF406F35DC3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A136B075-64C1-4F6F-AF29-4D2075B5014A} - (no file)
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - (no file)
O2 - BHO: (no name) - {E3B9766D-F656-44E2-89E9-EBCDD9078802} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O20 - Winlogon Notify: yayAsQiF - D:\WINDOWS\
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5247 bytes


Once again thanks for your help

pskelley
2008-09-10, 17:30
This indicates System Configuration Utility )MSConfig) is running in Selective Startup mode? This was not so in the first log or I would have asked this them. Return to Normal Mode, then post a new HJT log so I can see everything.
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

Thanks

Pablo86
2008-09-10, 18:01
Hi,

yes, I've switched the system into selective mode. That's becouse I've some problems with TeaTimer - despite disabling it in Spybot - S&D, it still starts to work when I start a system. And I don't know how to change it. Becouse when I uncheck TeaTimer in Start>Run>msconfig, system auomatically turns into selective mode.
What's more, on the list of processes starting up with the system in Start>Run>msconfig I have two TeaTimers, though I've deleted all old versions of Spybot..
Should I leave it alone and just switch into normal mode?

Thanks

pskelley
2008-09-10, 18:24
I need to see the HJT log when then computer in running System Configuration Utility in Normal Startup Mode as I said. If you can not turn off TeaTimer using the instructions I provided, then uninstall Spybot completely. You can reinstall it once we are finished.

Thanks

Pablo86
2008-09-10, 18:32
Hi,

so as you said, I completely removed Spybot. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:31:48, on 2008-09-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Gadu-Gadu\gg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Corel\Graphics8\programs\MFIndexer.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\Pablo86.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.acdsystems.com/products/acdsee/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {54E34C72-CBB2-4797-992D-BEF406F35DC3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A136B075-64C1-4F6F-AF29-4D2075B5014A} - (no file)
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - (no file)
O2 - BHO: (no name) - {E3B9766D-F656-44E2-89E9-EBCDD9078802} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [eMuleAutoStart] D:\Emule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Graphics8\programs\MFIndexer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O20 - Winlogon Notify: yayAsQiF - D:\WINDOWS\
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5522 bytes


Thanks

pskelley
2008-09-10, 18:39
I don't know what you are doing? Did you restart the computer?
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

I will not be able to respond again until later in the afternoon EST.

Pablo86
2008-09-10, 18:55
Yes, I uninstalled Spybot and restarted the computer. Now there is no Spybot on my machine, there is even no folder "Spybot" on disk "D", so I have completely no idea how is it possible:/

I will try to find this hidden TeaTimer..

Thanks

pskelley
2008-09-10, 19:43
Thanks for the feedback, I will say in ten years of looking at HJT logs I have not seen TT left after Spybot S&D was uninstalled. Perhaps it is not significant, I will give it a try.

D:\Emule\emule.exe <<< please see this information:
http://forums.spybot.info/showthread.php?t=282


1) D:\Program Files\Java\jre1.6.0_05\ <<< check Java for an update, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {54E34C72-CBB2-4797-992D-BEF406F35DC3} - (no file)
O2 - BHO: (no name) - {A136B075-64C1-4F6F-AF29-4D2075B5014A} - (no file)
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - (no file)
O2 - BHO: (no name) - {E3B9766D-F656-44E2-89E9-EBCDD9078802} - (no file)
O20 - Winlogon Notify: yayAsQiF - D:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

How is the computer running?

Gracias

Pablo86
2008-09-10, 21:58
So

1. delete emule...done
2. update Java...done
3. run ResetTeaTimer...done
4. download ATF Cleaner...done
5. fix checked lines in HJT...done
6. run ATF Cleaner...done
7. download Malwarebytes' Anti-Malware...done
8. run Malwarebytes' Anti-Malware...done
9. run HJT...done

Here are the logs /If you need any translation - feel free to ask:)/:

Malwarebytes' Anti-Malware 1.28
Wersja bazy definicji: 1137
Windows 5.1.2600 Dodatek Service Pack 2

2008-09-10 20:50:50
mbam-log-2008-09-10 (20-50-50).txt

Typ skanowania: Pełne skanowanie (C:\|D:\|)
Przeskanowane obiekty: 141188
Upłynęło: 53 minute(s), 19 second(s)

Zainfekowane procesy w pamięci: 0
Zainfekowane moduły pamięci: 0
Zainfekowane klucze rejestru: 0
Zainfekowane wartości rejestru: 0
Zainfekowane pliki rejestru: 0
Zainfekowane foldery: 0
Zainfekowane pliki: 3

Zainfekowane procesy w pamięci:
(Nie wykryto groźnych plików)

Zainfekowane moduły pamięci:
(Nie wykryto groźnych plików)

Zainfekowane klucze rejestru:
(Nie wykryto groźnych plików)

Zainfekowane wartości rejestru:
(Nie wykryto groźnych plików)

Zainfekowane pliki rejestru:
(Nie wykryto groźnych plików)

Zainfekowane foldery:
(Nie wykryto groźnych plików)

Zainfekowane pliki:
D:\System Volume Information\_restore{ED315AA0-DBE4-4563-A5E1-0D50D5485ECE}\RP209\A0337436.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{ED315AA0-DBE4-4563-A5E1-0D50D5485ECE}\RP210\A0337453.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\amsnttgq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.




And HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:56:47, on 2008-09-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Gadu-Gadu\gg.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Corel\Graphics8\programs\MFIndexer.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\Pablo86.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.acdsystems.com/products/acdsee/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [eMuleAutoStart] D:\Emule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Graphics8\programs\MFIndexer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5122 bytes



It seems, that my machine works better. Is it clear now?

Gracie mille:)

pskelley
2008-09-11, 00:34
This is the next task we must complete:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Gracias

Pablo86
2008-09-11, 09:01
I wish to install RC...but I can't - during the installation Combofix says "Error" adn shows a message: "Installation file - D:\Documents and Settings\Paweł\Pulpit\WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe - cannot be found". It is a little strange, becouse this file is the one I've downloaded, and, as I look on my desktop, I am 100% sure that it exist:) any advice?:)

Gracie

pskelley
2008-09-11, 11:23
Let's try this...delete that file in question on the Desktop.
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

The information you posted shows this file was NOT downloaded to the Desktop as instructed.
D:\Documents and Settings\Paweł\Pulpit\

1) You have Platform: Windows XP Dodatek SP2 <<< can you tell me what the word is red is?
Microsoft Windows XP Professional so I am assuming this version of XP is:

Microsoft Windows XP Professional SP2

This is the download for that version you have from here:
http://support.microsoft.com/kb/310994

Windows XP Professional SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124&displaylang=en
When you click on that "DOWNLOAD" make sure you choose "Save this file now" and choose to save it ON THE DESKTOP.

Follow the directions to drop the file on combofix as show in this picture:

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Thanks

Pablo86
2008-09-11, 13:31
Hi,

I've deleted that file. It was on the desktop, I mean "pulpit" in Polish is desktop:)

1) My system is Windows XP Professional Service Pack 2. This word you are asking about is probably not important, it means sth like supplement? It suggest, that that service pack is an additional part for windows.

2) I downloaded this file again from here the link you gave me, but the situation is the same - after dropping that file onto combofix icon it works, until it shows "Scanning for infected files...", then, after a while, it shows a message I wrote you earlier. I have no idea why is it so..

Gracie

pskelley
2008-09-11, 13:43
You may not be able to install Recovery Console, but you need to look closly at the directions, you said this:

I downloaded this file again from here the link you gave me, but the situation is the same - after dropping that file onto combofix icon it works, until it shows "Scanning for infected files...",
Look at the directions in the picture where you are plainly told to choose NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

when it gets to that point, click the NO button, let me know, if that does not work, we will move on without RC.

Thanks

Pablo86
2008-09-11, 14:02
Problem is, that i don't have that box "What's next?". After combofix shows the screen "Scanning for infected files...", box with a message about that missing file pops up. There is only one option to choose - "OK", and after that combofix switches off.

pskelley
2008-09-11, 14:09
Try deleting the copy of combofix and download it new from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then give Recovery Console another try.

Thanks

Pablo86
2008-09-11, 14:15
Finally - success:)

Here's the log:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Gracie

pskelley
2008-09-11, 14:22
:bigthumb: some information about Recovery Console.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

I am seeing no antivirus program??? it is cyber-suicide going online anymore without one. Do you need me to post links to free programs?

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

Pablo86
2008-09-11, 14:46
Thank you, thank you, thank you:) I really appreciate your help.

As you have noticed - I do not have any antivirus program, so if you have any link to free one, I would be greatful.

Once more - thank you for your time and help.

pskelley
2008-09-11, 15:39
Here are three, install only one.

http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/

I personally use AVG 8 Free, if you use it this tutorial may help:
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm

whatever you install, update and run a system scan.

Thanks

Pablo86
2008-09-11, 23:38
Thaks a lot for those links. I've installed AVG, which found 17 infected files and 4 spywares (!!!). I think i understand what you mean by saying "cyber suicide":)

As I read AVG in free version doesn't have a firewall. Any propositions?:)

Gracie

pskelley
2008-09-12, 00:17
If you install a third party freeware firewall, make sure you turn off the Windows Firewall.
http://support.microsoft.com/kb/283673

I posted a link for you with the closing information, please read all of that information and your questions will likely be answered there.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

Pablo86
2008-09-12, 20:26
Hi,

can I have one more request? Could you take a look at a HJT log from my second machine? I don't suppouse it is strongly infected becouse I don't often connect it to the Internet, but I'm not sure if it is completely clean...I will be gratefull.

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24:44, on 2008-09-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\Pablo86.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F3 - REG:win.ini: load=C:\YDPDict\watch.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [35883256320450366211233613823964] C:\Program Files\AV9\av2009.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 4979 bytes


Gracie mille

pskelley
2008-09-12, 21:43
I apologize, because we have 50 or more folks waiting, we require that you start a New Thread for the second computer.

http://forums.spybot.info/forumdisplay.php?f=22

Sorry...

Pablo86
2008-09-12, 22:12
Ok, nevermind:)

Thanks a lot after all.