PDA

View Full Version : Panda found some Hacking thing ...?



WillyT
2006-09-26, 04:37
Hello guys,

I performed a few scans with ewido, Norton, SB S&D and they didn't find anything. I did an online scan using Panda and it finds something that says is some hacking tools in my computer. It says the file is in " Local folder/deleted items/Billing update" I search for this and could not find it. I will copy the panda scan report and a HJT report. Thanks for the help!! :bigthumb:


Incident Status Location

Hacktool:Exploit/URLSpoof Not disinfected Local Folders\Deleted Items\Billing Update
HJT report:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:42 PM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SK9910DM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Ltho] "C:\WINDOWS\system32\SMANTE~1\ntvdm.exe" -vt yazr
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096426802265
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

LonnyRJones
2006-09-30, 01:54
Hacktool:Exploit/URLSpoof Not disinfected Local Folders\Deleted Items\Billing Update

I might be mistaken but that sounds like the deleted items in outlook , so open your email program and delete all delete and old saved/sent items.

Lets get a look at a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

WillyT
2006-10-04, 04:54
Hello and thanks for the help! I went into my email and saved everything in a CD and deleted every message from outlook there is nothing in it now nor in my "Deleted Items" folder in the desktop. I had no messages in the deleted items folder so it is weird. I ran combofix as instructed and saved the report. I also ran PAnda again but it still finds the "hacking Spoof" thing. It also found this time some spyware I guess I picked up recently. Here are both reports.

Incident Status Location

Adware:Adware/Lop Not disinfected C:\Documents and Settings\Owner\Application Data\ezpinst.exe
Hacktool:Exploit/URLSpoof Not disinfected Local Folders\Deleted Items\Billing Update
Conbofix report!!!
Owner - 06-10-02 17:04:29.18 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\PPATCH~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\SMANTE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\SMANTE~1\ctxad-466.0000
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\SMANTE~1\ctxad-466.0001
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\SMANTE~1\ctxad-466.0002
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\SMANTE~1\ctxad-466.0003
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\SMANTE~1\ctxad-466.0004
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\SMANTE~1\ctxad-466.0005


((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))


2006-09-18 18:35 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2006-09-13 17:19 21,312 --a------ C:\WINDOWS\choice.exe
2006-09-07 23:40 9,216 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-09-02 14:43 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-01 22:14 -------- d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2006-09-29 14:51 -------- d-------- C:\Documents and Settings\Owner\Application Data\Vso
2006-09-28 18:09 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-28 17:44 -------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2006-09-24 21:55 -------- d-------- C:\Program Files\Windows Defender
2006-09-24 21:55 -------- d-------- C:\Program Files\Symantec
2006-09-24 21:55 -------- d-------- C:\Program Files\SpywareGuard
2006-09-24 21:55 -------- d-------- C:\Program Files\QuickTime
2006-09-24 21:52 -------- d-------- C:\Program Files\Messenger
2006-09-24 21:50 -------- d-------- C:\Program Files\Internet Explorer
2006-09-24 21:50 -------- d-------- C:\Program Files\Google
2006-09-24 21:50 -------- d-------- C:\Program Files\EarthLink TotalAccess
2006-09-24 21:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-09-23 15:49 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-23 12:13 -------- d-------- C:\Program Files\WinZip
2006-09-23 12:12 -------- d-------- C:\Program Files\PowerISO
2006-09-19 18:13 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-09-19 18:13 -------- d-------- C:\Program Files\Common Files
2006-09-19 18:09 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-19 18:07 -------- d-------- C:\Program Files\Adobe
2006-09-19 17:58 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-19 17:49 -------- d-------- C:\Program Files\Nero
2006-09-19 17:43 -------- d-------- C:\Program Files\Common Files\Adaptec Shared
2006-09-19 17:36 -------- d-------- C:\Program Files\DVD Shrink
2006-09-18 18:35 81920 --a------ C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-09-18 18:35 7176 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.cat
2006-09-18 18:35 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-09-18 18:35 34 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.log
2006-09-18 18:35 1144 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.inf
2006-09-18 18:35 -------- d-------- C:\Program Files\vso
2006-09-11 23:07 -------- d-------- C:\Documents and Settings\Owner\Application Data\Google
2006-09-11 22:28 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-11 22:17 -------- d-------- C:\Program Files\Norton Internet Security
2006-09-08 23:18 -------- d-------- C:\Program Files\CCleaner
2006-09-08 19:03 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-06 18:04 -------- d-------- C:\Program Files\Java
2006-09-05 22:47 -------- d-------- C:\Program Files\Lavasoft
2006-09-05 22:47 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-09-05 22:42 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-05 22:38 -------- d-------- C:\Program Files\EPSON
2006-09-05 22:33 -------- d-------- C:\Program Files\SolidWorks
2006-09-05 22:23 -------- d-------- C:\Program Files\Microsoft Office
2006-09-05 22:22 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-05 22:22 -------- d-------- C:\Program Files\Common Files\Bluebeam Software
2006-09-02 15:02 2 --a------ C:\WINDOWS\system32\wapisvcc.exe
2006-08-29 18:20 -------- d-------- C:\Program Files\EarthLink
2006-08-29 16:39 -------- d-------- C:\Program Files\Azureus
2006-08-24 18:46 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-08-24 18:46 286720 --------- C:\WINDOWS\Setup1.exe
2006-08-24 18:46 -------- d-------- C:\Program Files\Transfer
2006-08-21 04:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 01:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 01:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-08-07 16:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-08-07 16:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-08-07 16:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-07 16:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-08-07 16:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-07-27 05:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 00:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-03 16:48 4449695 --a------ C:\Program Files\ip1600xp190us.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpySweeper"=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NVMCTRAY.DLL,NvTaskbarInit"
"Ltho"="\"C:\\WINDOWS\\system32\\SMANTE~1\\ntvdm.exe\" -vt yazr"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
@=""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"GWMDMMSG"="GWMDMMSG.exe"
"Ink Monitor"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job

Completion time: Mon 10/02/2006 17:06:03.75
ComboFix.txt

LonnyRJones
2006-10-04, 06:41
Start Hijackthis and place a check next to these items If there.
O4 - HKCU\..\Run: [Ltho] "C:\WINDOWS\system32\SMANTE~1\ntvdm.exe" -vt yazr
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Set windows to show hidden extensions file's and folder's.
click for> instructions. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Go here and submit each of these files and report back the results
http://www.virustotal.com/flash/index_en.html
C:\Program Files\ip1600xp190us.exe
C:\Documents and Settings\Owner\Application Data\ezpinst.exe

Its not clear where Deleted Items is in the panda log, perthaps a differant online will help.
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
We dont need to see item's listed as "Object is locked skipped" so edit those out.
We do not need to see items reported that are in an antivirus quorantine folder.

WillyT
2006-10-05, 03:37
Hello Lonny,

I did as instructed. I couldn't get the link to the virustotal website to work. I disabled my popup blocker and try to open the site again but the link doesn't work for me. I looked at the files you mentioned and believe one of them is the driver installer for a printer I used temporarilly some time ago. The other I have no idea what it is. I ran Kaspersky and it found a bunch of things I cleaned the report as you wanted. Here it is:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 04, 2006 8:02:16 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/10/2006
Kaspersky Anti-Virus database records: 228862
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 47528
Number of viruses found: 7
Number of infected objects: 12 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:20:22

Infected Object Name / Virus Name / Last Action

C:\Sierra\Half-Life\update\hl1110.exe/WISE0025.BIN Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped
C:\Sierra\Half-Life\update\hl1110.exe WiseSFX: infected - 1 skipped

C:\System Volume Information\_restore{4A409BA5-2911-44A7-8473-A035260A5521}\RP523\A0101298.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\System Volume Information\_restore{4A409BA5-2911-44A7-8473-A035260A5521}\RP523\A0101299.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\System Volume Information\_restore{4A409BA5-2911-44A7-8473-A035260A5521}\RP524\A0104528.dll Infected: Trojan-Downloader.Win32.Zlob.aix skipped
C:\System Volume Information\_restore{4A409BA5-2911-44A7-8473-A035260A5521}\RP524\A0104530.exe Infected: not-a-virus:Downloader.Win32.WinFixer.r skipped
C:\System Volume Information\_restore{4A409BA5-2911-44A7-8473-A035260A5521}\RP530\A0104927.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{4A409BA5-2911-44A7-8473-A035260A5521}\RP549\A0106278.exe/data0002 Infected: not-a-virus:AdWare.Win32.MediaTickets.n skipped
C:\System Volume Information\_restore{4A409BA5-2911-44A7-8473-A035260A5521}\RP549\A0106278.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{4A409BA5-2911-44A7-8473-A035260A5521}\RP549\A0106278.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{4A409BA5-2911-44A7-8473-A035260A5521}\RP549\A0106282.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\VundoFix Backups\mljge.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped


Scan process completed.

Thanks for the help!!! I really appreciate your help!

LonnyRJones
2006-10-05, 07:05
Which one of the file is it you recognize ?

C:\VundoFix Backups < go ahead and delete that folder

C:\Sierra\Half-Life\update\hl1110.exe WiseSFX: infected - 1 skipped
Did you download that with a filesharring program ?

WillyT
2006-10-05, 15:54
The file I recognized is "C:\Program Files\ip1600xp190us.exe" This I believe I downloaded for the drivers for a Canon ip 1600 color printer from the Canon website. I don't need it anymore though so I will delete it. I will delete the vundo file you mentioned. Finally, the Half Live is a game I used to have in the computer and I downloaded the updates as they came out from different mirror sites, but not using a file sharing program. I unistalled this game some time ago so I don't need this either. This may be a leftover from a bad unistall or it may have been infected. I had a really bad infection about a month ago and I cleaned it with you guys help. This files may have become infected then? I can delete them they are of no more use to me. Any ideas why the virustotal website doesn't work? thanks for the help Lonny.

LonnyRJones
2006-10-05, 20:16
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

Out of curiousity try virus total again
submit C:\WINDOWS\Setup1.exe

Im not sure where " Local folder/deleted items/Billing update" Is, search for
billing update or "deleted items" and let me know.

WillyT
2006-10-06, 02:16
I still can't open the virustotal website!! :sad: it comes back as page not found I tried doing it from work and it does open so it is my computer. i downloaded IE version 7 thinking that updating my browser would help but it didn't. Any ideas? I am performing a small clean up of the files that I don't use anymore. I will run Karspersky again and post the results. Thanks for your help!

LonnyRJones
2006-10-09, 10:52
Did you install the hosts file ?

Try this site to submit suspisious files
http://virusscan.jotti.org/

WillyT
2006-10-12, 04:25
Hello Lonny,

Sorry it took me a while to answer. Yes I did load the host file. I also went to Kaspersky and did an online scan and it found a bunch of things. I loaded kaspersky and ran it. It cleared some stuff, including virtomundo virus?:scratch: I went back to PAnda online and it still finds this hacking tools in that weird folder. I ran Kaspersky again on my email files and while it was running I notice that it looks into the same directory "Local files\deleted items" as where Panda finds the suspicious file, but kaspersky doesn't find it! I try doing a search in different ways for the folder but can't find it. I see in my Windows system folder a lot of "$NtServicePackUninstallNLSDownlevelMapping$" and some similar folders that are kind of fade out. What is that like uninstall info from deleted programs? Can I delete does? I also figured out why I couldn't open the VirusTotal website. I was running Macromedia Flash player version 8. I downloaded the new version 9 and it solved the problem. I hope this will help someone that runs into this situation. I will check the files you told me in VirusTotal. Thanks for you help. I will come back with any info.

LonnyRJones
2006-10-12, 07:21
Do not delete any of those $MSI31Uninstall_KB893803$ various folders
or for that matter anything with out lots and lots of reasearch.

I think what Panda is seeing is a false possitive, but you can try this
In outlook go File | Folder | Compact all folders.


Goo you can access virus total

LonnyRJones
2006-10-19, 10:33
Hows that PC WillyT ?

WillyT
2006-10-20, 04:05
Well it all seems fine. I tried many things and it looks like my computer is clean but for that weird thing panda finds. I checked the files you asked me and they came back clean. I deleted the ones I was not using anymore. appreciate your help a lot. I suppose is like you said that Panda is finding a negative. I will ignore it for now. If there is anything else I will create a new thread. you can close this one now. Again thanks a lot for your help :bigthumb: keep up the good work!!!

LonnyRJones
2006-10-20, 12:57
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).

Surf safe