Results 1 to 2 of 2

Thread: Virtumonde headache

  1. 2008-12-04, 19:59 #1
    CHILL_CO
    CHILL_CO is offline
    Junior Member
    Join Date
    Dec 2008
    Posts
    2

    Default Virtumonde headache

    I tried using Spybot to destroy Virtumonde but it keeps returning. Below is my HJT log and combofix log

    HJT Log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:58, on 2008-12-04
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ccs.exe
    C:\Program Files\Remote Services\AM.utEventServer.exe
    C:\Program Files\IP VPN Remote Services\cvpnd.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\slClient.exe
    C:\WINDOWS\TIREMOTE\wuser32.exe
    C:\WINDOWS\TIREMOTE\TIRemoteService.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\Program Files\Remote Services\AM.blScriptEngine.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    C:\WINDOWS\system32\slagent.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
    C:\Program Files\Microsoft Office Communicator\Communicator.exe
    C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uap.cag
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\ADU.exe" -nogui
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Verizon IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O15 - Trusted Zone: http://*.teamwork
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://dcptrend01:4343/officescan/c...l/WinNTChk.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
    O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://dcptrend01:4343/officescan/c...l/setupini.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://dcptrend01:4343/officescan/c...tall/setup.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {2739E75C-A4A1-438D-8914-190654B4E4EA} (epcInstallerConnector Class) - http://dcdcogweb1/cognos8/contributo...nstaller83.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://dcptrend01:4343/officescan/c...RemoveCtrl.cab
    O16 - DPF: {8B20D871-F641-4891-8A5D-C813FFB017CB} (Contributor Web Client Connector) - http://dcdcogweb1/cognos8/contributo...ientfull83.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/T25L/webex/ieatgpc.cab
    O20 - AppInit_DLLs: cqowgb.dll
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: Access Manager Event Service (AM.EventService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.utEventServer.exe
    O23 - Service: Access Manager Install Service (AM.InstallService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.InstallService.exe
    O23 - Service: Access Manager Script Service (AM.ScriptService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.blScriptEngine.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINDOWS\system32\ccs.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\IP VPN Remote Services\cvpnd.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: MCI Wireless Engine - Unknown owner - C:\Program Files\Remote Services\WENGINE2\BWEngine.exe
    O23 - Service: MCI WMonitor - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE2\WMonitor.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\slClient.exe
    O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
    O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

    --
    End of file - 11530 bytes


    Combofix log:

    ComboFix 08-12-03.04 - gccarole 2008-12-04 11:37:32.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -7:00]
    Running from: c:\documents and settings\gccarole\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\gccarole\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
    .

    2008-12-03 19:22 . 2008-12-03 19:22 173,456 --a------ C:\FixVundo.exe
    2008-12-03 11:52 . 2008-12-04 10:02 151 --a------ c:\windows\wininit.ini
    2008-12-02 20:38 . 2008-12-02 20:38 32,256 --a------ c:\documents and settings\gccarole\~.exe
    2008-12-02 20:15 . 2004-05-14 16:53 462,848 --a------ c:\windows\system32\ltkrn13n.dll
    2008-12-02 20:15 . 2004-05-14 16:53 450,560 --a------ c:\windows\system32\ltimg13n.dll
    2008-12-02 20:15 . 2004-05-14 16:53 401,408 --a------ c:\windows\system32\lfcmp13n.dll
    2008-12-02 20:15 . 2004-05-14 16:53 299,008 --a------ c:\windows\system32\ltdis13n.dll
    2008-12-02 20:15 . 2004-01-12 02:09 206,336 --a------ c:\windows\system32\ltefx13n.dll
    2008-12-02 20:15 . 2004-05-14 16:53 163,840 --a------ c:\windows\system32\ltfil13n.dll
    2008-12-02 20:15 . 2003-11-04 15:10 69,632 --a------ c:\windows\system32\lfgif13n.dll
    2008-12-02 20:15 . 2004-05-14 16:53 57,344 --a------ c:\windows\system32\lfbmp13n.dll
    2008-12-02 19:51 . 2008-12-02 19:51 5,424 --a------ C:\ftp_error_check
    2008-12-02 19:51 . 2008-12-02 19:51 3,459 --a------ C:\ftp_simple
    2008-12-02 19:51 . 2008-12-02 19:51 1,498 --a------ C:\uap_ftptab
    2008-12-02 19:39 . 2008-12-02 19:39 867 --a------ C:\checkfilebudg.sh
    2008-12-02 19:39 . 2008-12-02 19:39 839 --a------ C:\checkfile.sh
    2008-12-02 08:43 . 2008-12-02 09:54 231,424 --a------ C:\OU_Parent.xls
    2008-11-25 15:00 . 2008-11-25 15:01 13,824 --a------ C:\Asset_Depr.xls
    2008-11-24 09:42 . 2008-11-24 09:42 186,880 --a------ C:\AGU_ACCOUNTS_TREE.xls
    2008-11-20 12:29 . 2008-11-20 12:29 30,208 --a------ C:\2815.xls
    2008-11-19 07:41 . 2008-11-19 07:41 3,705,812 --a------ C:\FileZilla_3.1.5.1_win32-setup.exe
    2008-11-17 12:59 . 2008-11-17 16:05 23,552 --a------ C:\Samples_Carole.xls
    2008-11-14 15:33 . 2008-11-25 12:17 24,576 --a------ C:\Tree_Updates.xls
    2008-11-13 10:10 . 2008-11-13 10:10 179,200 --a------ C:\OU_State.xls
    2008-11-13 09:10 . 2008-11-13 09:11 182,784 --a------ C:\OU_Tree_Missing.xls
    2008-11-12 15:57 . 2008-11-12 15:57 26,624 --a------ C:\OU_Help_Darren.xls
    2008-11-12 12:37 . 2008-11-12 12:37 26,112 --a------ C:\OU_Help.xls
    2008-11-11 16:32 . 2008-11-11 16:32 391,680 --a------ C:\Tree_Checks.xls
    2008-11-11 16:04 . 2008-11-12 16:35 65,024 --a------ C:\Missing_Ous.xls
    2008-11-11 15:39 . 2008-11-11 15:40 39,936 --a------ C:\Scopes for review.xls
    2008-11-11 14:02 . 2008-11-11 14:02 <DIR> d-------- c:\program files\MSECache
    2008-11-07 10:42 . 2008-11-10 13:19 18,944 --a------ C:\Period_Counts.xls
    2008-11-07 10:03 . 2008-11-17 10:13 228,864 --a------ C:\Scopes.xls
    2008-11-06 14:39 . 2008-11-06 16:33 750,592 --a------ C:\Revenue adjustments.xls
    2008-11-06 13:07 . 2008-11-06 13:07 235,008 --a------ C:\DIG_MACD.doc
    2008-11-06 09:00 . 2008-11-06 10:17 65,536 --a------ C:\Detailed_Ledger.doc
    2008-11-05 11:40 . 2008-11-06 10:18 25,600 --a------ C:\Ledger_Info.xls
    2008-11-04 08:27 . 2008-11-04 08:28 3,696,811 --a------ C:\FileZilla_3.1.5_win32-setup.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-04 16:35 --------- d-----w c:\program files\Spybot - Search & Destroy
    2008-12-03 23:52 --------- d-----w c:\program files\IP VPN Remote Services
    2008-12-03 19:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-12-03 02:56 --------- d-----w c:\documents and settings\gccarole\Application Data\FileZilla
    2008-11-19 14:43 --------- d-----w c:\program files\FileZilla FTP Client
    2008-10-20 14:37 3,688,730 ----a-w C:\FileZilla_3.1.4.1_win32-setup.exe
    2008-10-03 17:12 3,659,444 ----a-w C:\FileZilla_3.1.3.1_win32-setup.exe
    2008-09-09 16:51 3,648,871 ----a-w C:\FileZilla_3.1.2_win32-setup.exe
    2008-08-27 20:34 3,681,588 ----a-w c:\program files\WS_FTP Pro.zip
    2008-05-15 01:43 990,592 ----a-w c:\windows\inf\UIU\A2\HSF_DPV.sys
    2008-05-15 01:42 98,752 ----a-w c:\windows\inf\UIU\A29\aeaudio.sys
    2008-05-15 01:41 88,363 ----a-w c:\windows\inf\UIU\A18\AGRSMMSG.exe
    2008-05-15 01:41 64,512 -c--a-w c:\windows\inf\UIU\agrsmdel.exe
    2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A18\agrsmdel.exe
    2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A12\agrsmdel.exe
    2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A11\agrsmdel.exe
    2008-05-15 01:41 6,912 -c--a-w c:\windows\inf\UIU\atibtxbr.sys
    2008-05-15 01:41 58,240 -c--a-w c:\windows\inf\UIU\atibtcap.sys
    2008-05-15 01:41 1,268,204 ----a-w c:\windows\inf\UIU\A18\AGRSM.sys
    2007-06-04 22:28 995,328 -c--a-w c:\windows\inf\UIU\W20MLRES.dll
    2007-06-04 22:27 68,710 -c--a-w c:\windows\inf\UIU\A0100\RKSAMPLE.SYS
    2007-06-04 22:26 917,504 -c--a-w c:\windows\inf\UIU\A2000\CMIDS3D.DLL
    2007-06-04 22:25 98,304 -c--a-w c:\windows\inf\UIU\A0900\34dialog.dll
    2007-06-04 22:24 98,752 -c--a-w c:\windows\inf\UIU\A0401\AEAUDIO.sys
    2007-06-04 22:23 94,208 -c--a-w c:\windows\inf\UIU\A0102\igfxtray.exe
    2006-07-19 17:20 1,895,732 ----a-w c:\documents and settings\gccarole\TextPad 4.zip
    2006-05-27 14:41 57,344 ----a-w c:\documents and settings\gccarole\_EZPivotDeleteMe.exe
    2007-06-04 20:30 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
    2007-06-04 20:24 16,384 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    2007-06-04 20:24 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-14 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-14 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-14 131072]
    "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 356429]
    "Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-04-23 165888]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
    "ADU"="c:\program files\Cisco Aironet\ADU.exe" [2005-05-11 299008]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-06-18 413696]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HDAShCut.exe]
    "TpShocks"="TpShocks.exe" [2005-08-22 c:\windows\system32\TpShocks.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 561213]
    Verizon IP VPN Remote Services.lnk - c:\program files\IP VPN Remote Services\vpngui.exe [2008-05-23 1528880]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=cqowgb.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\TIREMOTE\\wuser32.exe"=
    "c:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R0 atiide;ATI SATA Controller IDE mode;c:\windows\system32\Drivers\atiide.sys [2008-05-14 3456]
    R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2008-05-23 59904]
    R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2008-05-23 4736]
    R2 AM.EventService;Access Manager Event Service;"c:\program files\Remote Services\AM.utEventServer.exe" [2007-07-10 28672]
    R2 AM.ScriptService;Access Manager Script Service;"c:\program files\Remote Services\AM.blScriptEngine.exe" [2007-07-10 28672]
    R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2008-05-20 757792]
    R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [2006-10-19 532480]
    R2 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [2008-05-23 311374]
    R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [2008-05-23 212480]
    R2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2007-06-12 205328]
    R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2007-06-12 36368]
    R3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2008-05-20 23584]
    R3 smsmdd;smsmdd;c:\windows\system32\DRIVERS\smsmdm.sys [2008-04-08 12448]
    S3 AM.InstallService;Access Manager Install Service;"c:\program files\Remote Services\AM.InstallService.exe" [2007-07-10 81920]
    S3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;c:\windows\system32\DRIVERS\csco21.sys [2007-06-04 461728]
    S3 MCI Wireless Engine;MCI Wireless Engine;"c:\program files\Remote Services\WENGINE2\BWEngine.exe" [2007-02-01 823296]
    S3 MCI WMonitor;MCI WMonitor;"c:\program files\Remote Services\WENGINE2\WMonitor.exe" [2007-02-01 73728]
    S3 smstsmgr;SMS Task Sequence Agent;c:\windows\system32\CCM\TSManager.exe /service [2008-05-20 249888]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e3e7261-200b-11dc-a50d-fb48184993d1}]
    \Shell\AutoRun\command - D:\UIU.EXE

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d6feb01-b53e-11db-883c-8695eaf970df}]
    \Shell\AutoRun\command - D:\UIU.EXE
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{698e7de9-478c-46e3-82be-29654250e227} - c:\windows\system32\cqowgb.dll
    BHO-{770E858C-7662-4988-9E49-F3B89587B786} - c:\windows\system32\opnlICRK.dll
    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    Notify-mlJYpmJD - mlJYpmJD.dll


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.uap.cag
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

    c:\windows\Downloaded Program Files\epcwebinstaller.dll - O16 -: {2739E75C-A4A1-438D-8914-190654B4E4EA}
    hxxp://dcdcogweb1/cognos8/contributor/controls/epcwebinstaller83.cab
    c:\windows\Downloaded Program Files\epcWebInstaller.inf

    O16 -: {8B20D871-F641-4891-8A5D-C813FFB017CB} - hxxp://dcdcogweb1/cognos8/contributor/controls/clientfull83.cab
    c:\windows\Downloaded Program Files\clientfull83.inf
    FireFox -: Profile - c:\documents and settings\gccarole\Application Data\Mozilla\Firefox\Profiles\smrwz563.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-04 11:38:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(952)
    c:\windows\system32\cscogina.dll
    c:\windows\system32\csccfg10.dll
    c:\windows\system32\csccfg10Res.dll
    c:\windows\system32\amgina.dll
    c:\windows\system32\netprovcredman.dll
    .
    Completion time: 2008-12-04 11:39:26
    ComboFix-quarantined-files.txt 2008-12-04 18:39:16

    Pre-Run: 75,223,871,488 bytes free
    Post-Run: 75,211,108,352 bytes free

    189 --- E O F --- 2008-08-14 20:01:44
  2. 2008-12-04, 20:38 #2
    CHILL_CO
    CHILL_CO is offline
    Junior Member
    Join Date
    Dec 2008
    Posts
    2

    Default Uninstall log

    Here's the Hijack uninstall log.


    Access Manager
    Access Manager GINA
    Adobe Flash Player ActiveX
    Adobe Reader 7.0
    Apple Software Update
    Cisco Aironet Installation Program
    Citrix Web Client
    Cognos 8 for Microsoft Office
    Compatibility Pack for the 2007 Office system
    Eclipse Terminal Emulator
    FileZilla Client 3.1.5.1
    High Definition Audio Driver Package - KB835221
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Windows XP (KB915865)
    IBM ThinkPad Power Management Driver
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet/Wireless Software
    InterVideo WinDVD
    IP VPN RS Cisco
    Ipswitch WS_FTP Pro
    Ipswitch WS_FTP Pro (gccarole)
    Java 2 Runtime Environment, SE v1.4.2_07
    Java(TM) 6 Update 5
    Java(TM) 6 Update 6
    mCore
    mDriver
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 3.0
    Microsoft .NET Framework 3.0
    Microsoft DirectX SDK (June 2007)
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2003 Primary Interop Assemblies
    Microsoft Office 2003 Resource Kit
    Microsoft Office Communicator 2005
    Microsoft Office Professional Edition 2003
    Microsoft Office Project Professional 2003
    Microsoft Office Visio Professional 2003
    mMHouse
    Mozilla Firefox (2.0)
    mPfMgr
    mProSafe
    MSXML 4.0 SP2 (KB936181)
    MSXML 6.0 Parser (KB933579)
    mWlsSafe
    Numara Track-It! 8 Agent
    Oracle JInitiator 1.3.1.9
    QuickTime
    RDC
    Security Update for Microsoft .NET Framework 2.0 (KB928365)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913433)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB958644)
    Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
    Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
    SnagIt 8
    Software Installer
    Sonic RecordNow!
    Sonic Update Manager
    SoundMAX
    Spybot - Search & Destroy
    ThinkPad Bluetooth with Enhanced Data Rate Software
    ThinkPad Modem
    ThinkPad UltraNav Driver
    ThinkVantage Active Protection System
    Track-It! 7.0 Technician Client
    Trend Micro OfficeScan Client
    Universal Imaging Utility
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB916846)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB923845)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB925876)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    VPN Client
    WebEx
    WIMGAPI
    Windows Communication Foundation
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Presentation Foundation
    Windows Workflow Foundation
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    WinZip
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules