Results 1 to 10 of 18

Thread: one more virtumundo attack

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 2007-08-17, 16:19 #1
    1more2thelist
    1more2thelist is offline
    Junior Member
    Join Date
    Aug 2007
    Posts
    12

    Default one more virtumundo attack

    yes u guessed it. I have been infected. I have already taken the following steps from other sites that i thought could help. i have downloaded Vundofix and virtumundobegone. i ran both. the attacks seemed to lessen but have not stopped. one thing that i see is a windows script error that has a message C:\Program Files\func.js that pops up. that is how i found this forum by doing a search for that code. i have also downloaded the search and destroy program and have performed the scan and have removed everything that i could.
    also please be patient with me i have pasted the logs and they look really nasty length wise if i have not posted them correctly please work with me and let me know. I would like for you to help me without wasting too much of your time.

    so here we go.

    here is the HJT Log
    Logfile of HijackThis v1.99.1
    Scan saved at 8:42:50 AM, on 8/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\SiteAdvisor\6066\SAService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\AOL\1147829694\ee\AOLSoftware.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Updater.exe
    C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Messenger\hocypeg22011.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\WINDOWS\system32\wscript.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\McAfee\MSC\mcuimgr.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16316
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: XBTBPos00 - {A50B6E91-4081-4B37-BEA1-AD98A3CD51BA} - C:\PROGRA~1\EMUSIC~2\EMUSIC~1.DLL
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: eMusic Toolbar - {F8CC9B08-C14F-4A5C-B73B-518AFECC067A} - C:\Program Files\eMusic Toolbar\emusicToolbar.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [ShowLOMControl] 
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147829694\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
    O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [hocypeg] C:\Program Files\Messenger\hocypeg22011.exe
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: McAfee Application Installer Cleanup (0040341187296891) (0040341187296891mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\004034~1.EXE
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    kapersky log on next post.
  2. 2007-08-17, 16:20 #2
    1more2thelist
    1more2thelist is offline
    Junior Member
    Join Date
    Aug 2007
    Posts
    12

    Default

    and here is the kapersky virus scanner log.
    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true
    Scan Target My Computer
    C:\
    D:\
    Scan Statistics
    Total number of scanned objects 101879
    Number of viruses found 4
    Number of infected objects 9
    Number of suspicious objects 0
    Duration of the scan process 01:16:06

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{2F0EF3D7-D684-4F0B-9C48-2065A15DA72B}.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
    C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\cert8.db Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\history.dat Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\key3.db Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\parent.lock Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\BH\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\BH\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped
    C:\Documents and Settings\BH\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\AOL OCP\AIM\Storage\data\bahspike\localStorage\common.cls Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Messenger\bahspike@hotmail.com\SharingMetadata\infected.dat Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Messenger\bahspike@hotmail.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Messenger\bahspike@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Messenger\bahspike@hotmail.com\SharingMetadata\Working\database_8CC8_2D0D_C82C_F75C\dfsr.db Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Messenger\bahspike@hotmail.com\SharingMetadata\Working\database_8CC8_2D0D_C82C_F75C\fsr.log Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Messenger\bahspike@hotmail.com\SharingMetadata\Working\database_8CC8_2D0D_C82C_F75C\fsrtmp.log Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Messenger\bahspike@hotmail.com\SharingMetadata\Working\database_8CC8_2D0D_C82C_F75C\tmp.edb Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Windows Live Contacts\bahspike@hotmail.com\real\members.stg Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Microsoft\Windows Live Contacts\bahspike@hotmail.com\shadow\members.stg Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Mozilla\Firefox\Profiles\s687ss53.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\History\History.IE5\MSHist012007081620070817\index.dat Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temp\JETDA5D.tmp Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temp\Perflib_Perfdata_14ec.dat Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temp\Perflib_Perfdata_f9c.dat Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temp\sqlite_ekFqKykxZdemisY Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temp\sqlite_jqFKzTYg0ilIThR Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temp\~DF287F.tmp Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temp\~DF289E.tmp Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temp\~DF7039.tmp Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temp\~DF8001.tmp Object is locked skipped
    C:\Documents and Settings\BH\Local Settings\Temporary Internet Files\Content.IE5\C9AZG52F\83122[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
    C:\Documents and Settings\BH\Local Settings\Temporary Internet Files\Content.IE5\C9AZG52F\83122[1].exe NSIS: infected - 1 skipped
    C:\Documents and Settings\BH\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\BH\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\BH\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Messenger\hocypeg22011.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
    C:\RECYCLER\S-1-5-21-1173589547-3773523367-261121668-1005\Dc1.bad Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\RECYCLER\S-1-5-21-1173589547-3773523367-261121668-1005\Dc2.bad Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\RECYCLER\S-1-5-21-1173589547-3773523367-261121668-1005\Dc3.bad Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\WINDOWS\CSC\00000001 Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
    C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F403BCB5-08E3-47C5-ADCD-903D7E316F08}.crmlog Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{EF1CC34A-5C5C-47DB-BF1C-043E0B915A07}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\X1\x22011.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
    C:\WINDOWS\system32\X1\x22011.exe NSIS: infected - 1 skipped
    C:\WINDOWS\system32\xmhlycnq.exe Infected: Trojan.Win32.Agent.aoy skipped
    C:\WINDOWS\Temp\mcafee_lF5FVD7ZkVme1cN Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_AqekcoILarOv4rK Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_O2e1t0H9pu1j2XI Object is locked skipped
    C:\WINDOWS\Temp\sqlite_9mRBG4XVzv3ebDA Object is locked skipped
    C:\WINDOWS\Temp\sqlite_Y8BSl5m5sLQqg0O Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    Scan process completed.
  3. 2007-08-18, 09:25 #3
    1more2thelist
    1more2thelist is offline
    Junior Member
    Join Date
    Aug 2007
    Posts
    12

    Default

    bump, saw that it was almost off the list of topics when i searched, i do not know how it is decided who works on what. it just makes me feel better knowing that it can be seen. still waiting though.
  4. 2007-08-19, 20:42 #4
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hello 1more2thelist and welcome to the FOrums

    You're infected.

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  5. 2007-08-20, 00:59 #5
    1more2thelist
    1more2thelist is offline
    Junior Member
    Join Date
    Aug 2007
    Posts
    12

    Default

    Hi, MR_JAK3 thanks for your help. Here is the log from combo fix

    ComboFix 07-08-14.4 - "BH" 2007-08-19 18:45:23.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.374 [GMT -4:00]


    ((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


    2007-08-19 18:22 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-08-17 08:04 218,112 --a------ C:\Program Files\HijackThis.exe
    2007-08-16 16:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-08-16 16:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
    2007-08-16 08:57 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2007-08-15 15:12 <DIR> d-------- C:\VundoFix Backups
    2007-08-15 13:16 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
    2007-08-15 02:07 <DIR> d-------- C:\DOCUME~1\BH\APPLIC~1\Google
    2007-08-15 02:06 <DIR> d-------- C:\WINDOWS\system32\runtime
    2007-08-15 02:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
    2007-08-15 02:05 <DIR> d-------- C:\Program Files\Google
    2007-08-15 02:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
    2007-08-15 01:57 82,248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2007-08-15 01:57 57,672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2007-08-15 01:57 40,264 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2007-08-15 01:57 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2007-08-15 01:56 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-08-15 01:56 <DIR> d-------- C:\Program Files\Spyware Doctor
    2007-08-15 01:56 <DIR> d-------- C:\DOCUME~1\BH\APPLIC~1\PC Tools
    2007-08-14 23:24 1,707,554 ---hs---- C:\WINDOWS\system32\oqtwa.ini2
    2007-08-14 22:37 <DIR> d-------- C:\Program Files\Lavasoft
    2007-08-14 22:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-08-14 22:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-08-14 20:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-08-14 20:34 <DIR> d-------- C:\Program Files\RegistrySmart
    2007-08-14 20:34 <DIR> d-------- C:\DOCUME~1\BH\APPLIC~1\RegistrySmart
    2007-08-14 00:27 <DIR> d-------- C:\WINDOWS\system32\checkdll
    2007-08-14 00:27 <DIR> d-------- C:\Temp


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-08-19 18:32 --------- d-------- C:\Program Files\Windows Plus
    2007-08-19 18:30 --------- d-------- C:\Program Files\Plaxo
    2007-08-19 18:29 --------- d-------- C:\Program Files\McAfee
    2007-08-17 08:57 12381 --a------ C:\Program Files\hjt.log1.txt
    2007-08-17 08:42 12381 --a------ C:\Program Files\hijackthis.log
    2007-08-14 22:39 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
    2007-08-14 22:39 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-08-14 00:27 --------- d-------- C:\Program Files\Messenger
    2007-08-03 13:40 5642 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
    2007-08-03 13:40 104 -r-hs---- C:\WINDOWS\system32\7D08856475.sys
    2007-07-30 18:18 --------- d-------- C:\Program Files\Common Files\McAfee
    2007-07-24 12:02 33800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2007-07-24 07:40 79304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2007-07-21 09:08 40488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2007-07-21 09:08 35240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2007-07-21 09:08 201288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2007-07-13 09:20 113952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2007-07-11 15:09 --------- d--h----- C:\Program Files\InstallShield Installation Information
    2007-07-11 15:09 --------- d-------- C:\Program Files\LizardTech
    2007-07-07 10:58 --------- d-------- C:\Program Files\PlayOnline
    2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
    2007-06-26 10:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
    2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
    2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
    2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
    2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
    2007-06-15 04:12 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
    2007-06-15 04:12 616960 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
    2007-06-15 04:12 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
    2007-06-15 04:12 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
    2007-06-15 04:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
    2007-06-15 04:12 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
    2007-06-15 04:12 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
    2007-06-15 04:12 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
    2007-06-15 04:12 3064320 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-06-15 04:12 251904 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
    2007-06-15 04:12 205824 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
    2007-06-15 04:12 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
    2007-06-15 04:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
    2007-06-15 04:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
    2007-06-15 04:12 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
    2007-06-15 04:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
    2007-06-15 04:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
    2007-06-14 06:32 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
    2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
    2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
    2007-07-27 06:20 324936 --a------ C:\Program Files\McAfee\MSK\mcapbho.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 C:\WINDOWS\stsystra.exe]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-06 11:45]
    "ShowLOMControl"="1 (0x1)" []
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 19:56]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 11:44]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
    "HostManager"="C:\Program Files\Common Files\AOL\1147829694\ee\AOLSoftware.exe" [2006-05-09 20:24]
    "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-09-18 14:46]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 10:51]
    "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 14:46]
    "iRiver Updater"="\Updater.exe" [2004-07-01 17:20]
    "SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-01-17 15:24]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-18 16:20]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 18:04]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 17:58]
    "hocypeg"="C:\Program Files\Messenger\hocypeg22011.exe" [2007-08-07 16:30]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
    "SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-14 17:02]
    "RegistryMechanic"="" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24]
    "PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-06-16 14:38]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 12:11:42]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-11 19:21:16]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-15 02:05:22]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

    R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
    S3 AngelUsb;Angel USB MPEG Device;C:\WINDOWS\system32\DRIVERS\AngelUsb.sys
    S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
    S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
    S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
    S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    AutoRun\command- E:\setup.exe

    *Newly Created Service* - CATCHME

    Contents of the 'Scheduled Tasks' folder
    2007-08-15 22:55:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    2007-08-15 05:16:43 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
    2007-07-01 05:00:08 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe
    2007-08-18 07:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job - C:\Program Files\RegistrySmart\RegistrySmart.exe

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-19 18:47:05
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwClose

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-08-19 18:47:54
    C:\ComboFix-quarantined-files.txt ... 2007-08-19 18:47
    C:\ComboFix2.txt ... 2007-08-19 18:35

    --- E O F ---
  6. 2007-08-21, 21:12 #6
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi

    We'll continue...

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    DirLook::
C:\WINDOWS\system32\checkdll

File:: 
C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\xmhlycnq.exe 
C:\Program Files\Messenger\hocypeg22011.exe

    Save this as
    CFScript




    Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log with a fresh hjt log.


    Please run a GMER Rootkit scan:

    Download GMER's application from here:
    http://www.gmer.net/gmer.zip

    Unzip it and start the GMER.exe
    Click the Rootkit tab and click the Scan button.

    Once done, click the Copy button.
    This will copy the results to your clipboard.
    Paste the results in your next reply.

    Warning ! Please, do not select the "Show all" checkbox during the scan.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules