PDA

View Full Version : Possible infection. Help needed


Flytis
2008-11-30, 16:23
Greetings.
Think i might be infected by something bad. Using Windows xp x64 with sp2
Here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:58:30, on 2008-11-30
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
E:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
E:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
F:\Program Files (x86)\DAEMON Tools Lite\daemon.exe
E:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
f:\program files (x86)\steam\steam.exe
E:\WINDOWS\SysWOW64\ctfmon.exe
E:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe
E:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
E:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe
f:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe
E:\WINDOWS\SysWOW64\CTXFISPI.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
g:\Program Files (x86)\Winamp\winampa.exe
E:\WINDOWS\SysWOW64\CTsvcCDA.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
E:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
E:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
E:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
E:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
E:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
F:\Program Files (x86)\mIRC\mirc.exe
E:\Program Files (x86)\MSN Messenger\usnsvc.exe
g:\Program Files (x86)\Winamp\winamp.exe
F:\Program Files (x86)\Mozilla Firefox\firefox.exe
E:\Program Files (x86)\Hamachi\hamachi.exe
E:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files (x86)\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
f:\Program Files (x86)\Combined Community Codec Pack\Zoom Player\zplayer.exe
F:\Program Files\VentriloMIX\Ventrilo 2.3.0.exe
E:\Program Files (x86)\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
H:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dt-updates.com/activate?query=2qvvVDvx1U2Cd%2b46Cy0mz5Fpl6Pc5qLSd0T%2f0qp%2f424Z6uiTgwE8m4stjsCjV9a2WAavMoUIwt4rFAhufwfiquHHTQVzDpiTeEz4bEOwdxPy1Rcl9Sts%2bao14T%2bMzVkHKO6sbFm9%2fKrbhtmuLgeUxBPJrhDJCPFEI7QEcU4%2bd9kxzb6EJEm6b6J4Yhd4MRYQqoyOxIY5nRUbSVWmnCmZSEHspGtkKQ4WTMJcL8rmdr99qWIRmTi26KSWJArlAJtKg4kLmIYqXd2%2f54vZvvT69vRJsLUM4zjeP0qak3qXAS5oQhrIxr1PuBFsJm%2f7vGNIxOJrce2gFxTARhmYfRQQqQ%3d%3d
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - G:\Program Files (x86)\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - E:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [VolPanel] "E:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "E:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "E:\Program Files (x86)\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "f:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [WinampAgent] "g:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files (x86)\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Steam] "f:\program files (x86)\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CurseClient] F:\spel\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: hamachi.lnk = E:\Program Files (x86)\Hamachi\hamachi.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - E:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - E:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - E:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - F:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - F:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - E:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - E:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - E:\Program Files (x86)\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - E:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - E:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - E:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - E:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - E:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - E:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - E:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - E:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8778 bytes
katana
2008-12-04, 13:53
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)


If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following

1) What problems are you having
2) What Antivirus do you use ?


Download and Run RSIT

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.

Please post the contents of both log.txt and info.txt.