got hacked by TbH w0rm... please help (Resolved) [Archive]

View Full Version : got hacked by TbH w0rm... please help (Resolved)

lihi simchas

2009-08-20, 11:32

hello,

i got infected by something... my IE browser is kidnapped, ctrl+alt+delete doen't respond so i can't see processes, and many other things in winXP got messed up. i can't open drives directly (only by right-click and 'explore'), and can't change settings, like if i want to see hidden files, for instance...

that's my hijackthis report to start with...:

Logfile of HijackThis v1.99.1
Scan saved at 12:24:59, on 20/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\LevelOne\LevelOne WNC-0301 11g Wireless PCI

Card\Installer\WINXP\LevelOneConfig0301.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\Documents and Settings\user\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX00.563\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gade.6te.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = .-~= Hacked by TbH w0rm

=~-.
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-

4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail

Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0

\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\system32\win.exe
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs

C:\WINDOWS\system32\winjpg.jpg
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application

Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LevelOne Utility.lnk = C:\Program Files\LevelOne\LevelOne WNC-0301 11g

Wireless PCI Card\Installer\WINXP\LevelOneConfig0301.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - H:\lihi\ICQ6.5

\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} -

H:\lihi\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -

http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -

http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -

http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DABF1271-471D-4069-8EF7-FC8A44A41C28}:

NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program

Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program

Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1

\AVG\AVG8\avgwdsvc.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program

Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file

missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner -

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS

(file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices,

Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1

\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe

please help,

greetings,

lihi

katana

2009-08-23, 00:26

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)

Installed Programs

Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

lihi simchas

2009-08-25, 11:07

hello Katana and thank you for your answer,

i'm sorry for the delay in mine...

this is ComboFix log:

ComboFix 09-08-24.06 - user 08/25/2009 11:46.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.1023.559 [GMT 2:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\user\My Documents\cc_20090819_182153.reg
c:\program files\IEToolbar
c:\program files\IEToolbar\Share Accelerator\basis.xml
c:\program files\IEToolbar\Share Accelerator\icons.bmp
c:\program files\IEToolbar\Share Accelerator\icons.bmp_16.bmp
c:\program files\IEToolbar\Share Accelerator\icons.bmp_24.bmp
c:\program files\IEToolbar\Share Accelerator\info.txt
c:\program files\IEToolbar\Share Accelerator\LOGO.BMP
c:\program files\IEToolbar\Share Accelerator\ShareAcceleratorToolbar12_11_08.crc
c:\program files\IEToolbar\Share Accelerator\tbhelper.dll
c:\program files\IEToolbar\Share Accelerator\uninstall.exe
c:\program files\IEToolbar\Share Accelerator\update.exe
c:\program files\IEToolbar\Share Accelerator\version.txt
c:\program files\IEToolbar\Share Accelerator\your_logo.png
c:\windows\Installer\41992.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\win.exe
D:\Autorun.inf
G:\autorun.inf
G:\INSTALL.EXE
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD
-------\Service_ndisrd

((((((((((((((((((((((((( Files Created from 2009-07-25 to 2009-08-25 )))))))))))))))))))))))))))))))
.

2009-08-25 09:37 . 2007-10-23 07:22 3350528 ---ha-w- c:\documents and settings\user\Application Data\U3\temp\Launchpad Removal.exe
2009-08-19 16:49 . 2009-08-19 16:49 -------- d-----w- c:\program files\RegCleaner
2009-08-19 16:42 . 2009-08-19 16:42 -------- d-----w- c:\windows\Sun
2009-08-19 16:40 . 2009-08-19 16:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-19 16:40 . 2009-08-19 16:40 -------- d-----w- c:\program files\Java
2009-08-19 16:40 . 2009-08-19 16:40 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-19 16:19 . 2009-08-19 16:19 -------- d-----w- c:\program files\CCleaner
2009-08-05 17:54 . 2009-08-05 17:54 -------- d-----w- c:\program files\ICQ6Toolbar
2009-08-05 17:54 . 2009-08-05 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ICQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 09:37 . 2008-11-22 22:27 -------- d-----w- c:\documents and settings\user\Application Data\U3
2009-08-21 15:30 . 2004-05-31 22:09 87616 -c--a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-20 10:21 . 2005-10-24 08:18 -------- d-----w- c:\documents and settings\user\Application Data\Babylon
2009-08-19 15:09 . 2008-12-30 20:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-17 06:05 . 2008-12-30 19:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-17 06:05 . 2008-12-30 19:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 06:05 . 2008-12-30 19:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2004-06-12 21:51 . 2004-06-12 21:51 2 -c--a-w- c:\program files\audiorightschedule
2003-11-02 18:59 . 2004-07-07 19:28 2938 -c--a-w- c:\program files\FL4.10.Serial.DCR.nfo
2006-05-01 20:03 . 2006-05-01 15:11 56 --sh--r- c:\windows\system32\E546C97520.sys
2008-10-25 22:31 . 2006-05-01 15:18 12626 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"NetLimiter"="c:\program files\NetLimiter\NetLimiter.exe" [2004-03-31 823296]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2006-04-30 2655272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-8-10 108544]
LevelOne Utility.lnk - c:\program files\LevelOne\LevelOne WNC-0301 11g Wireless PCI Card\Installer\WINXP\LevelOneConfig0301.exe [2006-10-30 512000]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 06:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\WebDev.WebServer.EXE"=
"h:\\Lihi\\ICQ6.5\\ICQ.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30/12/2008 21:59 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [30/12/2008 21:59 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [29/01/2009 08:47 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [30/12/2008 21:58 297752]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [05/08/2009 19:54 222968]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [10/02/2005 13:26 108400]
S3 XDva032;XDva032;\??\c:\windows\system32\XDva032.sys --> c:\windows\system32\XDva032.sys [?]
S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;c:\windows\system32\drivers\yukonx86.sys [16/05/2004 17:17 176256]
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:57]

2009-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1220945662-2147183463-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 13:13]

2009-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1220945662-2147183463-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 13:13]

2009-08-22 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- d:\program files\Norton SystemWorks\OBC.exe [2003-09-12 18:16]

2009-08-24 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 02:48]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{FA34EE7E-55EB-41DB-9718-1AE6EA1CF9A5} - (no file)
HKLM-Run-regdiit - c:\windows\system32\win.exe
HKLM-Run-POINTER - point32.exe
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard

.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\about.htm
uStart Page = hxxp://gade.6te.net
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\NetLimiter\nl_lsp.dll
TCP: {DABF1271-471D-4069-8EF7-FC8A44A41C28} = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - hxxp://www.tapuz.co.il/irc/main/launcher.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-25 11:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Ntbackup\  *װׂׁױ]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\ M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
"File1"="c:\\WINDOWS\\system32\\dfrg.msc"
"File2"="c:\\WINDOWS\\system32\\devmgmt.msc"
"File3"="c:\\WINDOWS\\system32\\secpol.msc"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e6,84,8a,43,b0,bd,2e,7b,21,29,e3,75,b0,33,d8,3a,a8,93,c7,7f,59,
6b,c8,ec,72,82,42,2f,d6,41,91,d5,68,a7,0a,8a,b3,c2,03,ff,83,3d,b5,e9,7c,bc,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e6,84,8a,43,b0,bd,2e,7b,21,29,e3,75,b0,33,d8,3a,a8,93,c7,7f,59,
6b,c8,ec,72,82,42,2f,d6,41,91,d5,68,a7,0a,8a,b3,c2,03,ff,83,3d,b5,e9,7c,bc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1148)
c:\program files\NetLimiter\nl_lsp.dll
c:\windows\system32\nl_msgc.dll

- - - - - - - > 'explorer.exe'(2548)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\mnmsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
d:\progra~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft Hardware\Mouse\point32.exe
.
**************************************************************************
.
Completion time: 2009-08-25 11:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-25 09:59

Pre-Run: 16,386,260,992 bytes free
Post-Run: 16,373,317,632 bytes free

201

and this is the uninstall list from Hijackthis:

Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9
Adobe Premiere Pro
Adobe Reader 9 - Hebrew
Adobe Shockwave Player
Ahead Nero Burning ROM
Apple Software Update
Audacity 1.2.1
AVG Free 8.5
AXIS Media Control Embedded
Babylon
CCleaner (remove only)
Choice Guard
Cool Edit Pro 2.0
desktop Wallpaper
Direct Show Ogg Vorbis Filter (remove only)
eMule
ESET Online Scanner
ffdshow
Google Gmail Notifier
GTK+ Runtime 2.12.1 rev b (remove only)
HammerHead Rhythm Station
HijackThis 1.99.1
ICQ Toolbar
ICQ6.5
Intel(R) Integrated Performance Primitives RTI 4.0
IsoBuster 1.6
Java(TM) 6 Update 15
Junk Mail filter update
LevelOne WNC-0301 11g Wireless PCI Card
Lion Heart's eMule Plus
LiveReg (Symantec Corporation)
Loopy
Macromedia Extension Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Access 2002 Runtime
Microsoft Data Access Components KB870669
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Office XP Professional עם FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Web Developer 2005 Express Edition - ENU
Microsoft Visual Web Developer 2005 Express Edition - ENU
MSRedist
MSVCRT
MSXML 6.0 Parser
MV2Player (remove only)
NetLimiter 1.30 (remove only)
Norton SystemWorks 2004 Professional
Norton SystemWorks 2004 Professional (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
NVIDIA Display Driver
PACE System Files
PowerDVD
Quake III Arena Point Release 1.32
QuickTime
RadLight MPC DirectShow Filter (remove only)
RealPlayer
Segoe UI
Share Accelerator
SoundMAX
SpywareBlaster 4.1
VobSub v2.23 (Remove Only)
Win32
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows XP Service Pack 2
WinZip
ארכיונר WinRAR
כלי ההעלאה של Windows Live
מסייע הכניסה של Windows Live

thank you again,
waiting for you reply,

lihi

katana

2009-08-25, 12:47

Information

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

eMule
Lion Heart's eMule Plus

Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4) where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.

----------------------------------------------------------------------------------------

Registry Cleaners + "Tweak" Tools

Re. RegCleaner

I don't personally recommend the use of ANY Registry Cleaners or "Tweak" Tools

They are marketed as ways to make your machine run faster and more efficiently ...... Some will actually achieve this .... IF you know how to use them correctly.
Removing "Orphaned/Old/Obsolete" registry entries is fine ..... as long as they actually are "Orphaned/Old/Obsolete", it won't speed up your machine though
Stopping services and setting policies can speed up your machine ..... as long as you stop and set the right ones, and even then it's debatable if you will notice the improvement.

Remove the wrong registry entry, or stop the wrong service, and not only can you slow your machine .... you could kill it !

To use a Registry Cleaner or "Tweak" tool to its full advantage, you really need to know what it is they are doing and what else the changes may affect.
In short, if you know how to use them safely ----- you don't actually need them.

discussion on regcleaners >> http://forums.whatthetech.com/Regcleaner_t42862.html
And for more good information see what Miekiemoes has to say >> http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

----------------------------------------------------------------------------------------
Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------
Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

MalwareBytes Log
Kaspersky Log
How are things running now ?

lihi simchas

2009-08-25, 18:38

hello again,

malwarebytes log:

Malwarebytes' Anti-Malware 1.40
Database version: 2693
Windows 5.1.2600 Service Pack 2

25/08/2009 16:04:00
mbam-log-2009-08-25 (16-03-40).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|)
Objects scanned: 187257
Time elapsed: 43 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\BitDownload (Trojan.Lop) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regdiit (Backdoor.Poison) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\winzip90.exe (Trojan.Agent) -> No action taken.
C:\winfile.jpg (Backdoor.Poison) -> No action taken.
C:\WINDOWS\system32\winjpg.jpg (Backdoor.Poison) -> No action taken.

kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 25, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 25, 2009 14:55:51
Records in database: 2686955
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan statistics:
Objects scanned: 81068
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:10:48

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\win.exe.vir Infected: Trojan.Win32.VB.uqs 1

Selected area has been scanned.

that's it... things are running better now, alt+ctrl+del works, IE doesn't get kidnapped, and harddrives open regularly with a double-click.
but it seems like i still have quite a few infected files, doesn't it?

couple more questions:
1) how do i remove that RegCleaner? i didn't see it in the add/remove programs list.
2) i tried to remove the LHemule through the add/remove programs but didn't succeed. should i use some kind of software to uninstall it?

thanks,

lihi.

katana

2009-08-25, 21:17

but it seems like i still have quite a few infected files, doesn't it?
Not really, that is very few compared to most infections.
Did you allow MBAM to remove what it found ? ..... the log shows No action taken.

couple more questions:
1) how do i remove that RegCleaner? i didn't see it in the add/remove programs list.
2) i tried to remove the LHemule through the add/remove programs but didn't succeed. should i use some kind of software to uninstall it?

1) It may be just a leftover showing, I'll remove it in a moment.
2) What happened when you tried to uninstall it ?

Download and Run Registry Search
Download (LINK >>>) Registry Search (http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip) (<<< LINK) to your desktop.

Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
Open the new folder, and double click on regsearch.exe
In the top window copy/paste the following line
eMule
Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
Please save the text file at you desktop and call it found-entries.

Paste the results in your reply

lihi simchas

2009-08-25, 23:11

hi again,

first about MBAM - i noticed that "no action taken" at the log, but i pressed "Remove selected", and i'm sure they were selected... that's weird.

second, here's the regsearch log:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 26/08/2009 00:07:00 for strings:
; 'emule'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\DefaultIcon]
@="C:\\Program Files\\eMule\\eMule.exe,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\command]
@="C:\\Program Files\\eMule\\eMule.exe \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\emule]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\emule\DEBUG]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe]
"Path"="c:\\Program Files\\eMule\\incoming"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lion Heart's eMule Plusv4.2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lion Heart's eMule Plusv4.2]
"DisplayName"="Lion Heart's eMule Plus"
"UninstallString"="C:\\WINDOWS\\iun6002ev.exe \"C:\\Program Files\\eMule\\irunin.ini\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Speed Disk\Local Settings\Drive Results\C:\Fragmented Files\9]
"File Name"="\\Program Files\\eMule\\incoming\\Melanie Safka - Look What They've Done To My Song.mp3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares]
; Contents of value:
; CSCFlags=0
; MaxUses=4294967295
; Path=C:\Program Files\eMule\incoming
; Permissions=0
; Remark=
; Type=0
;
"incoming"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,\
00,00,4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,\
00,39,00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,\
43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,\
00,6c,00,65,00,73,00,5c,00,65,00,4d,00,75,00,6c,00,65,00,5c,00,69,00,6e,00,\
63,00,6f,00,6d,00,69,00,6e,00,67,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,\
00,73,00,69,00,6f,00,6e,00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,\
72,00,6b,00,3d,00,00,00,54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lpxnds\Parameters\Device]
"DriverParameter"="EmulexOption=0x0400;EnableDPC=0;QueueAction=0;QueueDepth=64;RetryInterval=45;RetryIoTimeOut=1;ScanDown=1;SimulateDevice=0;Topology=2"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:LHeMule v4.2"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmanserver\Shares]
; Contents of value:
; CSCFlags=0
; MaxUses=4294967295
; Path=C:\Program Files\eMule\incoming
; Permissions=0
; Remark=
; Type=0
;
"incoming"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,\
00,00,4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,\
00,39,00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,\
43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,\
00,6c,00,65,00,73,00,5c,00,65,00,4d,00,75,00,6c,00,65,00,5c,00,69,00,6e,00,\
63,00,6f,00,6d,00,69,00,6e,00,67,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,\
00,73,00,69,00,6f,00,6e,00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,\
72,00,6b,00,3d,00,00,00,54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lpxnds\Parameters\Device]
"DriverParameter"="EmulexOption=0x0400;EnableDPC=0;QueueAction=0;QueueDepth=64;RetryInterval=45;RetryIoTimeOut=1;ScanDown=1;SimulateDevice=0;Topology=2"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:LHeMule v4.2"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares]
; Contents of value:
; CSCFlags=0
; MaxUses=4294967295
; Path=C:\Program Files\eMule\incoming
; Permissions=0
; Remark=
; Type=0
;
"incoming"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,\
00,00,4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,\
00,39,00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,\
43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,\
00,6c,00,65,00,73,00,5c,00,65,00,4d,00,75,00,6c,00,65,00,5c,00,69,00,6e,00,\
63,00,6f,00,6d,00,69,00,6e,00,67,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,\
00,73,00,69,00,6f,00,6e,00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,\
72,00,6b,00,3d,00,00,00,54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lpxnds\Parameters\Device]
"DriverParameter"="EmulexOption=0x0400;EnableDPC=0;QueueAction=0;QueueDepth=64;RetryInterval=45;RetryIoTimeOut=1;ScanDown=1;SimulateDevice=0;Topology=2"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:LHeMule v4.2"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\eMule\\emule.exe"="LHeMule v4.2"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Adobe\Acrobat Reader\9.0\AVGeneral\cRecentFiles\c2]
"tDIText"="/C/Program Files/eMule/incoming/PDFs/Sontag, Susan - Vivre sa vie, de Godard.pdf"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\brizsoft\avisplit]
"LastOpenFolder"="C:\\Program Files\\eMule\\incoming"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\eMule]

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\eMule]
"Install Path"="C:\\Program Files\\eMule"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\GSpot Appliance Corp\GSpot\v2.5 Settings]
"LastMediaFile"="C:\\Program Files\\eMule\\incoming\\L'idiot- G?rard Philipe - Edwige Feuill?re - Dvdrip Fr By Benny Par Emule-Paradise.avi"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList]
"d"="emule.exe"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\OpenWithList]
"c"="emule.exe"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList]
"d"="emule.exe"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\eMule]

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Lion Heart's eMule]

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Lion Heart's eMule Plus]

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\TLN eMule Booster MOD]

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Nico Mak Computing\WinZip\select]
"select7"="C:\\Program Files\\eMule\\incoming"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Syntrillium\CEPro2\State\Directories\32768]
"Item27"="c:\\program files\\emule>4294967294,0"
"Item28"="c:\\program files\\emule\\incoming\\more songs>4294967294,0"
"Item38"="c:\\program files\\emule\\incoming>4294967294,0"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Classes\ed2k\DefaultIcon]
@="C:\\Program Files\\eMule\\emule.exe"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Classes\ed2k\shell\open\command]
@="\"C:\\Program Files\\eMule\\emule.exe\" \"%1\""

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003_Classes\ed2k\DefaultIcon]
@="C:\\Program Files\\eMule\\emule.exe"

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003_Classes\ed2k\shell\open\command]
@="\"C:\\Program Files\\eMule\\emule.exe\" \"%1\""

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\eMule\\emule.exe"="LHeMule v4.2"

; End Of The Log...

when i try to remove it through add/remove program i get this message:
could not load initialization file.

shoud i rescan with malwarebytes?

lihi.

katana

2009-08-26, 00:02

shoud i rescan with malwarebytes?

Please.

OTMoveIt
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop

Double-click OTM.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )

:Processes
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\emule]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe]
"Path"="C:\\Program Files\\WinRAR\\"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lion Heart's eMule Plusv4.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\eMule\\emule.exe"=-
[-HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\eMule]
[-HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent]
[-HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\eMule]
[-HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Lion Heart's eMule]
[-HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Lion Heart's eMule Plus]
[-HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\TLN eMule Booster MOD]
:Files
C:\Program Files\eMule
c:\program files\RegCleaner
:Commands
[Purity]
[EmptyTemp]

Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

lihi simchas

2009-08-26, 00:41

ok...

that's the OTM log:

All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\emule\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe\\"Path"|"C:\\Program Files\\WinRAR\\" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lion Heart's eMule Plusv4.2\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\\Program Files\\eMule\\emule.exe not found.
Registry key HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\eMule\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\eMule\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Lion Heart's eMule\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Lion Heart's eMule Plus\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-682003330-1220945662-2147183463-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\TLN eMule Booster MOD\ deleted successfully.
========== FILES ==========
C:\Program Files\eMule\temp\Source Lists moved successfully.
C:\Program Files\eMule\temp moved successfully.
C:\Program Files\eMule\plugins moved successfully.
C:\Program Files\eMule\incoming\רוקפור moved successfully.
C:\Program Files\eMule\incoming\עברי לידר - יותר טוב כלום מכמעט moved successfully.
C:\Program Files\eMule\incoming\גן חיות - גן חיות moved successfully.
C:\Program Files\eMule\incoming\zipped translations moved successfully.
C:\Program Files\eMule\incoming\translation moved successfully.
C:\Program Files\eMule\incoming\The.Deer.Hunter moved successfully.
C:\Program Files\eMule\incoming\The Good, the Bad & the Ugly-Heb-29.97 moved successfully.
C:\Program Files\eMule\incoming\Solyaris.subs.SOUTHSiDE_english moved successfully.
C:\Program Files\eMule\incoming\Reggae versions of Radiohead's Ok Computer moved successfully.
C:\Program Files\eMule\incoming\PDFs moved successfully.
C:\Program Files\eMule\incoming\NetlLimiter 1.30 + Patch moved successfully.
C:\Program Files\eMule\incoming\more translations moved successfully.
C:\Program Files\eMule\incoming\more songs moved successfully.
C:\Program Files\eMule\incoming\hiphop moved successfully.
C:\Program Files\eMule\incoming\Babylon.Pro.v5.0.6.r13.Heb.Eng.Heb.Incl.Key.[WarezFaw.Com] moved successfully.
C:\Program Files\eMule\incoming\Audio moved successfully.
C:\Program Files\eMule\incoming\Advanced AVI Splitter v1.29.0.51 Crack-TBE moved successfully.
C:\Program Files\eMule\incoming moved successfully.
C:\Program Files\eMule\feeds moved successfully.
C:\Program Files\eMule\config\Backup2 moved successfully.
C:\Program Files\eMule\config\Backup moved successfully.
C:\Program Files\eMule\config moved successfully.
C:\Program Files\eMule moved successfully.
c:\program files\RegCleaner\Languages moved successfully.
c:\program files\RegCleaner moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: HelpAssistant
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: user
->Temp folder emptied: 77576120 bytes
->Temporary Internet Files folder emptied: 9368024 bytes
->Java cache emptied: 25621134 bytes
->Google Chrome cache emptied: 9120120 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 1119318 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 117.15 mb

OTM by OldTimer - Version 3.0.0.6 log created on 08262009_013206

Files moved on Reboot...

Registry entries deleted on Reboot...

i'm running a full scan now with malwarebytes, but i found out that all the malicious objects that were found before are now in the quarantine list,
so i guess that some action was taken after all... strange it didn't appear in the log.

i'll post the malwarebytes log later, though i guess it will be clean.

thanks,

lihi.

lihi simchas

2009-08-26, 01:25

yes, the MBAM log is clean:

Malwarebytes' Anti-Malware 1.40
Database version: 2693
Windows 5.1.2600 Service Pack 2

26/08/2009 02:27:52
mbam-log-2009-08-26 (02-27-52).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|)
Objects scanned: 186890
Time elapsed: 45 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

lihi

katana

2009-08-26, 01:34

Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Uninstall OTMoveIt (OTM.exe)
Open OTMoveIt Click Cleanup,
When a box pops up click YES.

You can also delete any logs we have produced, and empty your Recycle bin.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

lihi simchas

2009-08-26, 13:12

yep, everything seems to be fine now.

THANKS A LOT!!! you've been a great help!

lihi.