Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Virtumonde

  1. #1
    Junior Member
    Join Date
    Jan 2008
    Posts
    19

    Default Virtumonde

    'Allo, my computer illiterate friend has managed to get himself a nice juicy Virtumonde trojan (i dont even want to know how...). Spybot claims to have killed it, yet upon a reboot and rescan it is back...so its obviously hiding somewhere. Anyone able to help? And after someone decends to smite the virus, any chance of some information on how to help defend his computer (it really would have to be idiot proof...hes an ad-clicker)


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:18:08 PM, on 3/10/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    F3 - REG:win.ini: run=
    O2 - BHO: ShoppingAdsHelper - {2C86C605-6081-D104-96F7-F765C20B22F1} - C:\Program Files\ShoppingAdsHelper\ShoppingAdsHelper-1.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Qbemirozili] rundll32.exe "C:\WINDOWS\Pzolukog.dll",e
    O4 - HKLM\..\Run: [Rcarosita] rundll32.exe "C:\WINDOWS\umezudan.dll",e
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [A00F27257.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F27257.exe
    O4 - HKCU\..\Run: [A00F10F1C4.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F10F1C4.exe
    O4 - HKCU\..\Run: [A00F68D2A7.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F68D2A7.exe
    O4 - HKCU\..\Run: [A00FEEFF9.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00FEEFF9.exe
    O4 - HKCU\..\Run: [A00F51FCC5.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F51FCC5.exe
    O4 - HKCU\..\Run: [A00FFF851.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00FFF851.exe
    O4 - HKCU\..\Run: [A00F18601C.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F18601C.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\ifxcardm32.dll
    O20 - Winlogon Notify: 30e0e646530 - C:\WINDOWS\System32\ifxcardm32.dll
    O20 - Winlogon Notify: __c0063031 - C:\WINDOWS\system32\__c0063031.dat
    O20 - Winlogon Notify: __c00889E9 - C:\WINDOWS\system32\__c00889E9.dat (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

    --
    End of file - 5262 bytes

  2. #2
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hello and welcome to Malware Removal.

    My name is peku006 and I will be helping you to remove any infection(s) that you may have.
    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    Please observe these rules while we work:
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.
    • Please continue to respond until I give you the "All Clear"


    If you follow these instructions, everything should go smoothly.

    There is no sign of an antivirus installed on your system. There are several reasons for it. Either you have disabled your antivirus or there's no antivirus installed.

    If you have disabled it, please re-enable it. If you have no antivirus installed, please get ONE antivirus and install it. Restart the computer for changes to take effect.

    avast! 4 Home Edition
    AntiVir Free Edition

    1 - Clean temp files

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:
      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Prefetch
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.

      if you use Firefox:
      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      if you use Opera:
      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


      Click Exit on the Main menu to close the program


    2 - Scan With ComboFix

    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    How to Temporarily Disable Anti-virus

    Please include the C:\ComboFix.txt in your next reply for further review.

    3 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    4 - Status Check
    Please reply with


    1. the ComboFix log(C:\ComboFix.txt)
    2. a fresh HijackThis log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  3. #3
    Junior Member
    Join Date
    Jan 2008
    Posts
    19

    Default

    okay, got the combofix here...but avast activated itself after the reboot so dont know if it interfered with the results.

    and on a side-note, ive never seen so many "a virus has been detected" notifications in my life. possibly because my computer actually gets treat with an once of respect

    Ive noticed hes got both Limwire and Vuze installed, so im going to get rid of them as well.

    ComboFix 09-03-10.03 - lee hill 2009-03-11 22:18:41.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.223.48 [GMT 0:00]
    Running from: c:\documents and settings\lee hill\Desktop\ComboFix.exe
    AV: avast! antivirus 4.8.1335 [VPS 090205-1] *On-access scanning disabled* (Outdated)
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530C.manifest
    c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530O.manifest
    c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530P.manifest
    c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530S.manifest
    c:\windows\GnuHashes.ini
    c:\windows\system32\__c002BF04.dat
    c:\windows\system32\__c004517.dat
    c:\windows\system32\__c0051131.dat
    c:\windows\system32\__c005DE3A.dat
    c:\windows\system32\__c0063031.dat
    c:\windows\system32\__c0078A84.dat
    c:\windows\system32\__c007EB2.dat
    c:\windows\system32\__c00A5190.dat
    c:\windows\system32\__c00B93BF.dat
    c:\windows\system32\__c00EA361.dat
    c:\windows\system32\__c00FF684.dat
    c:\windows\system32\GroupPolicy000.dat
    c:\windows\system32\pthreadGC2.dll
    C:\xcrashdump.dat

    .
    ((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
    .

    2009-03-11 22:28 . 2009-03-11 22:28 0 --a------ c:\windows\system32\2.tmp
    2009-03-11 21:31 . 2009-03-11 21:31 <DIR> d-------- c:\program files\Alwil Software
    2009-03-11 21:31 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
    2009-03-11 21:17 . 2009-03-11 22:28 <DIR> d--hs---- c:\windows\system32\NetworkService32
    2009-03-10 19:16 . 2009-03-10 19:16 <DIR> d-------- c:\program files\Trend Micro
    2009-03-08 09:54 . 2009-03-08 09:54 374,272 --ahs---- c:\windows\system32\35.tmp
    2009-03-07 13:54 . 2009-03-07 13:54 374,272 --ahs---- c:\windows\system32\33.tmp
    2009-03-06 17:54 . 2009-03-06 17:54 374,272 --ahs---- c:\windows\system32\22.tmp
    2009-03-01 12:45 . 2009-03-01 12:45 135,680 --a------ c:\windows\umezudan.dll
    2009-03-01 12:33 . 2009-03-01 12:33 43,520 --a------ c:\windows\Pzolukog.dll
    2009-02-28 19:48 . 2009-02-28 19:48 374,272 --ahs---- c:\windows\system32\10.tmp
    2009-02-28 19:47 . 2009-02-28 19:47 135,168 --a------ c:\windows\system32\ifxcardm32.dll
    2009-02-28 18:28 . 2008-01-01 08:00 499,712 --a------ c:\windows\system32\msvcp71.dll
    2009-02-28 18:28 . 2008-01-01 08:00 348,160 --a------ c:\windows\system32\msvcr71.dll
    2009-02-28 18:28 . 2008-01-02 03:12 7,680 --a------ c:\windows\system32\ff_vfw.dll
    2009-02-28 18:28 . 2008-01-02 03:12 6,144 --a------ c:\windows\system32\ff_acm.acm
    2009-02-28 18:28 . 2008-01-01 08:00 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
    2009-02-28 18:18 . 2009-02-28 18:29 <DIR> d-------- c:\program files\ffdshow
    2009-02-27 22:15 . 2009-02-27 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Messenger Plus!
    2009-02-27 22:13 . 2009-02-27 22:13 <DIR> d-------- c:\program files\Messenger Plus! Live
    2009-02-27 22:04 . 2009-02-07 02:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
    2009-02-25 06:49 . 2008-06-17 19:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll
    2009-02-22 20:15 . 2009-02-22 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
    2009-02-22 20:14 . 2009-03-09 11:30 <DIR> d-------- c:\documents and settings\lee hill\Application Data\Azureus
    2009-02-22 20:11 . 2009-02-28 09:00 <DIR> d-------- c:\program files\Vuze
    2009-02-22 19:54 . 2009-02-22 19:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2009-02-22 19:54 . 2009-02-22 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-02-22 19:34 . 2009-03-04 00:23 <DIR> d-------- c:\documents and settings\lee hill\Application Data\LimeWire
    2009-02-22 19:33 . 2009-02-22 19:34 <DIR> d-------- c:\program files\LimeWire
    2009-02-20 10:49 . 2008-05-09 10:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
    2009-02-20 10:49 . 2008-05-09 10:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
    2009-02-20 10:49 . 2008-05-09 10:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
    2009-02-20 10:49 . 2008-05-09 10:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
    2009-02-20 10:49 . 2008-05-08 11:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
    2009-02-20 10:49 . 2008-05-09 08:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
    2009-02-20 10:49 . 2008-05-09 10:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
    2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\system32\scripting
    2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\system32\bits
    2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\l2schemas
    2009-02-19 21:09 . 2009-02-19 21:23 <DIR> d-------- c:\windows\ServicePackFiles
    2009-02-18 19:08 . 2009-02-26 16:22 <DIR> d-------- c:\program files\Microsoft Silverlight
    2009-02-15 08:56 . 2008-04-14 00:12 276,992 --------- c:\windows\system32\wmphoto.dll
    2009-02-15 08:54 . 2008-04-14 00:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
    2009-02-15 08:53 . 2008-04-14 00:10 102,912 -----c--- c:\windows\system32\dllcache\dpcdll.dll
    2009-02-15 08:53 . 2008-04-14 00:11 86,016 --------- c:\windows\system32\mdmxsdk.dll
    2009-02-15 08:53 . 2008-04-14 00:11 61,440 --------- c:\windows\system32\kmsvc.dll
    2009-02-15 08:53 . 2008-04-13 18:45 46,592 --------- c:\windows\system32\drivers\irbus.sys
    2009-02-15 08:53 . 2008-04-14 00:11 37,376 --------- c:\windows\system32\l2gpstore.dll
    2009-02-15 08:53 . 2008-04-14 00:09 24,064 -----c--- c:\windows\system32\dllcache\pidgen.dll
    2009-02-15 08:53 . 2004-08-04 06:41 11,868 --------- c:\windows\system32\drivers\mdmxsdk.sys
    2009-02-15 08:53 . 2008-04-14 00:12 10,752 --------- c:\windows\system32\smtpapi.dll
    2009-02-15 08:53 . 2008-04-14 00:12 9,728 --------- c:\windows\system32\rwnh.dll
    2009-02-15 08:53 . 2008-04-13 18:43 9,728 --------- c:\windows\system32\comsdupd.exe
    2009-02-15 08:53 . 2007-06-21 05:52 974 --------- c:\windows\system32\pid.inf
    2009-02-15 08:51 . 2008-04-13 18:36 44,928 --------- c:\windows\system32\drivers\agpcpq.sys
    2009-02-15 08:51 . 2008-04-13 18:36 43,008 --------- c:\windows\system32\drivers\amdagp.sys
    2009-02-15 08:51 . 2008-04-13 18:36 42,752 --------- c:\windows\system32\drivers\alim1541.sys
    2009-02-15 08:51 . 2008-04-13 18:36 42,368 --------- c:\windows\system32\drivers\agp440.sys
    2009-02-15 08:51 . 2008-04-14 00:11 4,255 --------- c:\windows\system32\drivers\adv01nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,967 --------- c:\windows\system32\drivers\adv02nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,775 --------- c:\windows\system32\drivers\adv11nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,711 --------- c:\windows\system32\drivers\adv09nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,647 --------- c:\windows\system32\drivers\adv07nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,615 --------- c:\windows\system32\drivers\adv05nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,135 --------- c:\windows\system32\drivers\adv08nt5.dll
    2009-02-14 13:47 . 2009-03-11 22:29 <DIR> d-------- c:\documents and settings\lee hill\Tracing
    2009-02-14 13:39 . 2009-02-14 13:39 <DIR> d-------- c:\program files\Microsoft
    2009-02-14 13:36 . 2009-02-14 13:36 <DIR> d-------- c:\program files\Windows Live SkyDrive
    2009-02-14 13:26 . 2009-02-14 13:26 <DIR> d-------- c:\program files\Common Files\Windows Live
    2009-02-11 22:25 . 2004-08-03 23:56 221,184 --a------ c:\windows\system32\wmpns.dll
    2009-02-11 22:22 . 2009-02-11 22:22 <DIR> d-------- c:\windows\system32\LogFiles
    2009-02-11 22:22 . 2009-02-11 22:23 <DIR> d-------- c:\windows\system32\drivers\UMDF
    2009-02-11 04:47 . 2009-02-11 04:47 552 --a------ c:\windows\system32\d3d8caps.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-02-27 22:04 --------- d-----w c:\program files\Windows Live
    2009-02-11 22:25 --------- d-----w c:\program files\Windows Media Connect 2
    2009-02-05 15:55 --------- d-----w c:\program files\Microsoft Games
    2009-02-04 23:13 --------- d-----w c:\program files\Common Files\InstallShield
    2009-01-25 00:03 --------- d-----w c:\program files\DivX
    2009-01-16 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\Alawar Stargaze
    2009-01-16 03:47 --------- d-----w c:\program files\ReflexiveArcade
    .

    ------- Sigcheck -------

    2004-08-03 23:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
    2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
    2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe

    2007-03-08 15:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$NtServicePackUninstall$\user32.dll
    2006-12-18 19:35 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$NtUninstallKB925902$\user32.dll
    2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
    2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

    2004-08-03 23:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
    2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
    2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

    2008-08-20 05:30 666112 9af5f25124fbdc36e2b510729cba2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
    2008-08-20 04:58 666624 94418f53d2612c26dbadc04dafbc197c c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
    2008-08-26 09:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
    2008-10-16 01:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
    2008-10-16 01:04 667136 e8fce58a470999350f64c591557f9e42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
    2008-10-16 20:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
    2008-12-20 23:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
    2006-12-18 19:35 664576 231ef4179acabe486376b5ca893f1076 c:\windows\$NtUninstallKB956390$\wininet.dll
    2008-08-20 05:33 667648 c91e3a6ef094202f6b5ca8960dfcf243 c:\windows\$NtUninstallKB958215$\wininet.dll
    2008-10-16 10:20 667648 93c9d0a216498ee14eb9b26119bb95ee c:\windows\ie7\wininet.dll
    2007-08-14 02:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
    2008-08-26 07:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
    2008-10-16 20:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
    2008-04-14 00:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
    2008-12-20 23:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
    2008-12-20 23:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll

    2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$NtServicePackUninstall$\tcpip.sys
    2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
    2006-12-18 19:35 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
    2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
    2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
    2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

    2004-08-03 23:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
    2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
    2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

    2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
    2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
    2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

    2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
    2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
    2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

    2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
    2007-06-13 11:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$NtServicePackUninstall$\explorer.exe
    2006-12-18 19:33 1033216 42d32722b805d7df42d30487a0bcbd78 c:\windows\$NtUninstallKB938828$\explorer.exe
    2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe

    2004-08-03 23:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
    2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
    2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

    2004-08-03 23:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
    2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
    2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

    2004-08-03 23:56 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
    2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
    2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

    2006-12-18 19:35 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$NtServicePackUninstall$\spoolsv.exe
    2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
    2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

    2004-08-03 23:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
    2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
    2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

    2006-12-18 19:35 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
    2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
    2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll

    2007-04-16 16:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$NtServicePackUninstall$\kernel32.dll
    2006-12-18 19:33 985600 16f21882c96ee0136a92e867da94215c c:\windows\$NtUninstallKB935839$\kernel32.dll
    2008-04-14 00:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
    2008-04-14 00:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll

    2004-08-03 23:56 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\$NtServicePackUninstall$\powrprof.dll
    2008-04-14 00:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
    2008-04-14 00:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll

    2004-08-03 23:56 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\$NtServicePackUninstall$\imm32.dll
    2008-04-14 00:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\ServicePackFiles\i386\imm32.dll
    2008-04-14 00:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
    "Qbemirozili"="c:\windows\Pzolukog.dll" [2009-03-01 43520]
    "Rcarosita"="c:\windows\umezudan.dll" [2009-03-01 135680]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
    "C-Media Mixer"="Mixer.exe" [2002-10-16 c:\windows\mixer.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\30e0e646530]
    2009-02-28 19:47 135168 c:\windows\system32\ifxcardm32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\ifxcardm32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.avis"= ff_acm.acm

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-11 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-11 20560]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-02-27 55152]
    S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2009-02-02 31872]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - CryptSvc
    *Deregistered* - DcomLaunch
    *Deregistered* - Dhcp
    *Deregistered* - dmserver
    *Deregistered* - Dnscache
    *Deregistered* - ERSvc
    *Deregistered* - EventSystem
    *Deregistered* - FastUserSwitchingCompatibility
    *Deregistered* - helpsvc
    *Deregistered* - HTTPFilter
    *Deregistered* - ImapiService
    *Deregistered* - JavaQuickStarterService
    *Deregistered* - lanmanserver
    *Deregistered* - lanmanworkstation
    *Deregistered* - LmHosts
    *Deregistered* - Netman
    *Deregistered* - Nla
    *Deregistered* - NWCWorkstation
    *Deregistered* - PolicyAgent
    *Deregistered* - ProtectedStorage
    *Deregistered* - RasMan
    *Deregistered* - RemoteRegistry
    *Deregistered* - RpcSs
    *Deregistered* - SamSs
    *Deregistered* - Schedule
    *Deregistered* - seclogon
    *Deregistered* - SENS
    *Deregistered* - SharedAccess
    *Deregistered* - ShellHWDetection
    *Deregistered* - SLService
    *Deregistered* - Spooler
    *Deregistered* - srservice
    *Deregistered* - SSDPSRV
    *Deregistered* - stisvc
    *Deregistered* - TapiSrv
    *Deregistered* - TermService
    *Deregistered* - Themes
    *Deregistered* - TrkWks
    *Deregistered* - W32Time
    *Deregistered* - WebClient
    *Deregistered* - winmgmt
    *Deregistered* - wscsvc
    *Deregistered* - wuauserv
    *Deregistered* - WZCSVC
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
    HKLM-Run-Cmaudio - cmicnfg.cpl
    Notify-__c0063031 - c:\windows\system32\__c0063031.dat
    Notify-__c00889E9 - c:\windows\system32\__c00889E9.dat


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-11 22:30:33
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(836)
    c:\windows\System32\ifxcardm32.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\WgaTray.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-11 22:40:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-11 22:39:55

    Pre-Run: 47,534,796,800 bytes free
    Post-Run: 47,475,150,848 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    322

  4. #4
    Junior Member
    Join Date
    Jan 2008
    Posts
    19

    Default

    and heres the hijack this report

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:27:53 PM, on 3/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Qbemirozili] rundll32.exe "C:\WINDOWS\Pzolukog.dll",e
    O4 - HKLM\..\Run: [Rcarosita] rundll32.exe "C:\WINDOWS\umezudan.dll",e
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\ifxcardm32.dll
    O20 - Winlogon Notify: 30e0e646530 - C:\WINDOWS\System32\ifxcardm32.dll
    O20 - Winlogon Notify: __c003C3B1 - C:\WINDOWS\system32\__c003C3B1.dat
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

    --
    End of file - 5073 bytes

  5. #5
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi s-t-n

    1 - Remove bad HijackThis entries
    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):

      • O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
        O4 - HKLM\..\Run: [Qbemirozili] rundll32.exe "C:\WINDOWS\Pzolukog.dll",e
        O4 - HKLM\..\Run: [Rcarosita] rundll32.exe "C:\WINDOWS\umezudan.dll",e
        O20 - AppInit_DLLs: C:\WINDOWS\System32\ifxcardm32.dll
        O20 - Winlogon Notify: 30e0e646530 - C:\WINDOWS\System32\ifxcardm32.dll
        O20 - Winlogon Notify: __c003C3B1 - C:\WINDOWS\system32\__c003C3B1.dat

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    2 - Run CFScript

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\2.tmp
    c:\windows\system32\35.tmp
    c:\windows\system32\33.tmp
    c:\windows\system32\22.tmp
    c:\windows\umezudan.dll
    c:\windows\Pzolukog.dll
    c:\windows\system32\10.tmp
    C:\WINDOWS\System32\ifxcardm32.dll

    DirLook::
    c:\windows\system32\NetworkService32
    Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe



    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    3 - Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2

    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.

    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself.
    • Press the OK button to close that box and continue.
    • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

    On the Scanner tab:
    • Make sure the "Perform full scan" option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.

    Back at the main Scanner screen:
    • Click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found here:

      C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    • Copy and paste the contents of that report in your next reply and exit MBAM.


    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


    4 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    5 - Status Check
    Please reply with


    1. the ComboFix log(C:\ComboFix.txt)
    2. the Malwarebytes' Anti-Malware Log
    3. a fresh HijackThis log
    description of any problems you are having with your PC

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  6. #6
    Junior Member
    Join Date
    Jan 2008
    Posts
    19

    Default

    right, had some problems booting the computer and after 3 attempts i booted in safe mode to fix the hijack this entries. after this, i was able to boot normally so it was abviously the infection complaining that it was getting killed. everything else worked without a hitch, although i temporarily uninstalled avast for the combofix (its back on now)

    ComboFix 09-03-10.03 - lee hill 2009-03-12 21:27:59.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.223.61 [GMT 0:00]
    Running from: c:\documents and settings\lee hill\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\lee hill\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    c:\windows\Pzolukog.dll
    c:\windows\system32\10.tmp
    c:\windows\system32\2.tmp
    c:\windows\system32\22.tmp
    c:\windows\system32\33.tmp
    c:\windows\system32\35.tmp
    c:\windows\System32\ifxcardm32.dll
    c:\windows\umezudan.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530C.manifest
    c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530O.manifest
    c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530P.manifest
    c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530S.manifest
    c:\windows\GnuHashes.ini
    c:\windows\Pzolukog.dll
    c:\windows\system32\__c003C3B1.dat
    c:\windows\system32\10.tmp
    c:\windows\system32\2.tmp
    c:\windows\system32\22.tmp
    c:\windows\system32\33.tmp
    c:\windows\system32\35.tmp
    c:\windows\system32\5.tmp
    c:\windows\system32\GroupPolicy000.dat
    c:\windows\System32\ifxcardm32.dll
    c:\windows\umezudan.dll
    C:\xcrashdump.dat
    E:\autorun.inf
    F:\autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
    .

    2009-03-12 21:25 . 2009-03-12 21:26 <DIR> d-------- C:\32788R22FWJFW
    2009-03-11 21:31 . 2009-03-11 21:31 <DIR> d-------- c:\program files\Alwil Software
    2009-03-11 21:31 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
    2009-03-11 21:17 . 2009-03-11 22:43 <DIR> d--hs---- c:\windows\system32\NetworkService32
    2009-03-11 12:31 . 2008-12-05 06:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
    2009-03-10 19:16 . 2009-03-10 19:16 <DIR> d-------- c:\program files\Trend Micro
    2009-02-28 18:28 . 2008-01-01 08:00 499,712 --a------ c:\windows\system32\msvcp71.dll
    2009-02-28 18:28 . 2008-01-01 08:00 348,160 --a------ c:\windows\system32\msvcr71.dll
    2009-02-28 18:28 . 2008-01-02 03:12 7,680 --a------ c:\windows\system32\ff_vfw.dll
    2009-02-28 18:28 . 2008-01-02 03:12 6,144 --a------ c:\windows\system32\ff_acm.acm
    2009-02-28 18:28 . 2008-01-01 08:00 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
    2009-02-28 18:18 . 2009-02-28 18:29 <DIR> d-------- c:\program files\ffdshow
    2009-02-27 22:15 . 2009-02-27 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Messenger Plus!
    2009-02-27 22:13 . 2009-02-27 22:13 <DIR> d-------- c:\program files\Messenger Plus! Live
    2009-02-27 22:04 . 2009-02-07 02:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
    2009-02-25 06:49 . 2008-06-17 19:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll
    2009-02-22 20:15 . 2009-02-22 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
    2009-02-22 20:14 . 2009-03-09 11:30 <DIR> d-------- c:\documents and settings\lee hill\Application Data\Azureus
    2009-02-22 20:11 . 2009-03-12 03:09 <DIR> d-------- c:\program files\Vuze
    2009-02-22 19:54 . 2009-02-22 19:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2009-02-22 19:54 . 2009-02-22 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-02-22 19:34 . 2009-03-04 00:23 <DIR> d-------- c:\documents and settings\lee hill\Application Data\LimeWire
    2009-02-20 10:49 . 2008-05-09 10:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
    2009-02-20 10:49 . 2008-05-09 10:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
    2009-02-20 10:49 . 2008-05-09 10:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
    2009-02-20 10:49 . 2008-05-09 10:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
    2009-02-20 10:49 . 2008-05-08 11:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
    2009-02-20 10:49 . 2008-05-09 08:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
    2009-02-20 10:49 . 2008-05-09 10:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
    2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\system32\scripting
    2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\system32\bits
    2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\l2schemas
    2009-02-19 21:09 . 2009-02-19 21:23 <DIR> d-------- c:\windows\ServicePackFiles
    2009-02-18 19:08 . 2009-02-26 16:22 <DIR> d-------- c:\program files\Microsoft Silverlight
    2009-02-15 08:56 . 2008-04-14 00:12 276,992 --------- c:\windows\system32\wmphoto.dll
    2009-02-15 08:54 . 2008-04-14 00:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
    2009-02-15 08:53 . 2008-04-14 00:10 102,912 -----c--- c:\windows\system32\dllcache\dpcdll.dll
    2009-02-15 08:53 . 2008-04-14 00:11 86,016 --------- c:\windows\system32\mdmxsdk.dll
    2009-02-15 08:53 . 2008-04-14 00:11 61,440 --------- c:\windows\system32\kmsvc.dll
    2009-02-15 08:53 . 2008-04-13 18:45 46,592 --------- c:\windows\system32\drivers\irbus.sys
    2009-02-15 08:53 . 2008-04-14 00:11 37,376 --------- c:\windows\system32\l2gpstore.dll
    2009-02-15 08:53 . 2008-04-14 00:09 24,064 -----c--- c:\windows\system32\dllcache\pidgen.dll
    2009-02-15 08:53 . 2004-08-04 06:41 11,868 --------- c:\windows\system32\drivers\mdmxsdk.sys
    2009-02-15 08:53 . 2008-04-14 00:12 10,752 --------- c:\windows\system32\smtpapi.dll
    2009-02-15 08:53 . 2008-04-14 00:12 9,728 --------- c:\windows\system32\rwnh.dll
    2009-02-15 08:53 . 2008-04-13 18:43 9,728 --------- c:\windows\system32\comsdupd.exe
    2009-02-15 08:53 . 2007-06-21 05:52 974 --------- c:\windows\system32\pid.inf
    2009-02-15 08:51 . 2008-04-13 18:36 44,928 --------- c:\windows\system32\drivers\agpcpq.sys
    2009-02-15 08:51 . 2008-04-13 18:36 43,008 --------- c:\windows\system32\drivers\amdagp.sys
    2009-02-15 08:51 . 2008-04-13 18:36 42,752 --------- c:\windows\system32\drivers\alim1541.sys
    2009-02-15 08:51 . 2008-04-13 18:36 42,368 --------- c:\windows\system32\drivers\agp440.sys
    2009-02-15 08:51 . 2008-04-14 00:11 4,255 --------- c:\windows\system32\drivers\adv01nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,967 --------- c:\windows\system32\drivers\adv02nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,775 --------- c:\windows\system32\drivers\adv11nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,711 --------- c:\windows\system32\drivers\adv09nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,647 --------- c:\windows\system32\drivers\adv07nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,615 --------- c:\windows\system32\drivers\adv05nt5.dll
    2009-02-15 08:51 . 2008-04-14 00:11 3,135 --------- c:\windows\system32\drivers\adv08nt5.dll
    2009-02-14 13:47 . 2009-03-12 21:24 <DIR> d-------- c:\documents and settings\lee hill\Tracing
    2009-02-14 13:39 . 2009-02-14 13:39 <DIR> d-------- c:\program files\Microsoft
    2009-02-14 13:36 . 2009-02-14 13:36 <DIR> d-------- c:\program files\Windows Live SkyDrive
    2009-02-14 13:26 . 2009-02-14 13:26 <DIR> d-------- c:\program files\Common Files\Windows Live

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-02-27 22:04 --------- d-----w c:\program files\Windows Live
    2009-02-11 22:25 --------- d-----w c:\program files\Windows Media Connect 2
    2009-02-05 15:55 --------- d-----w c:\program files\Microsoft Games
    2009-02-04 23:13 --------- d-----w c:\program files\Common Files\InstallShield
    2009-01-25 00:03 --------- d-----w c:\program files\DivX
    2009-01-16 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\Alawar Stargaze
    2009-01-16 03:47 --------- d-----w c:\program files\ReflexiveArcade
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ---- Directory of c:\windows\system32\NetworkService32 ----

    2009-03-11 22:28 0 --a------ c:\windows\system32\NetworkService32\3.tmp
    2009-03-11 21:23 93 --a------ c:\windows\system32\NetworkService32\58.music.wav.kwd
    2009-03-11 21:13 873657 --a------ c:\windows\system32\NetworkService32\62.setup.zip
    2009-03-11 21:13 862793 --a------ c:\windows\system32\NetworkService32\61.serial.zip
    2009-03-11 21:13 860396 --a------ c:\windows\system32\NetworkService32\60.keygen.zip
    2009-03-11 21:12 927861 --a------ c:\windows\system32\NetworkService32\59.crack.zip
    2009-03-11 20:24 5088466 --a------ c:\windows\system32\NetworkService32\58.music.wav
    2009-03-11 20:23 4088466 --a------ c:\windows\system32\NetworkService32\57.music.snd
    2009-03-11 20:20 3905427 --a------ c:\windows\system32\NetworkService32\56.music.mp3
    2009-03-11 20:13 659608 --a------ c:\windows\system32\NetworkService32\63.unpack.zip
    2009-03-05 20:21 76 --a------ c:\windows\system32\NetworkService32\56.music.mp3.kwd
    2009-03-05 20:19 102 --a------ c:\windows\system32\NetworkService32\57.music.snd.kwd
    2009-02-02 17:43 269 --a------ c:\windows\system32\NetworkService32\62.setup.zip.kwd
    2009-02-02 17:41 272 --a------ c:\windows\system32\NetworkService32\61.serial.zip.kwd
    2009-02-02 17:40 270 --a------ c:\windows\system32\NetworkService32\60.keygen.zip.kwd
    2009-02-02 17:39 204 --a------ c:\windows\system32\NetworkService32\59.crack.zip.kwd
    2008-11-22 20:32 6 --a------ c:\windows\system32\NetworkService32\63.unpack.zip.kwd


    ------- Sigcheck -------

    2004-08-03 23:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
    2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
    2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe

    2007-03-08 15:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$NtServicePackUninstall$\user32.dll
    2006-12-18 19:35 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$NtUninstallKB925902$\user32.dll
    2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
    2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

    2004-08-03 23:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
    2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
    2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

    2008-08-20 05:30 666112 9af5f25124fbdc36e2b510729cba2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
    2008-08-20 04:58 666624 94418f53d2612c26dbadc04dafbc197c c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
    2008-08-26 09:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
    2008-10-16 01:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
    2008-10-16 01:04 667136 e8fce58a470999350f64c591557f9e42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
    2008-10-16 20:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
    2008-12-20 23:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
    2006-12-18 19:35 664576 231ef4179acabe486376b5ca893f1076 c:\windows\$NtUninstallKB956390$\wininet.dll
    2008-08-20 05:33 667648 c91e3a6ef094202f6b5ca8960dfcf243 c:\windows\$NtUninstallKB958215$\wininet.dll
    2008-10-16 10:20 667648 93c9d0a216498ee14eb9b26119bb95ee c:\windows\ie7\wininet.dll
    2007-08-14 02:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
    2008-08-26 07:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
    2008-10-16 20:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
    2008-04-14 00:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
    2008-12-20 23:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
    2008-12-20 23:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll

    2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$NtServicePackUninstall$\tcpip.sys
    2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
    2006-12-18 19:35 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
    2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
    2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
    2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

    2004-08-03 23:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
    2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
    2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

    2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
    2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
    2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

    2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
    2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
    2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

    2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
    2007-06-13 11:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$NtServicePackUninstall$\explorer.exe
    2006-12-18 19:33 1033216 42d32722b805d7df42d30487a0bcbd78 c:\windows\$NtUninstallKB938828$\explorer.exe
    2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe

    2004-08-03 23:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
    2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
    2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

    2004-08-03 23:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
    2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
    2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

    2004-08-03 23:56 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
    2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
    2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

    2006-12-18 19:35 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$NtServicePackUninstall$\spoolsv.exe
    2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
    2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

    2004-08-03 23:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
    2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
    2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

    2006-12-18 19:35 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
    2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
    2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll

    2007-04-16 16:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$NtServicePackUninstall$\kernel32.dll
    2006-12-18 19:33 985600 16f21882c96ee0136a92e867da94215c c:\windows\$NtUninstallKB935839$\kernel32.dll
    2008-04-14 00:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
    2008-04-14 00:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll

    2004-08-03 23:56 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\$NtServicePackUninstall$\powrprof.dll
    2008-04-14 00:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
    2008-04-14 00:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll

    2004-08-03 23:56 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\$NtServicePackUninstall$\imm32.dll
    2008-04-14 00:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\ServicePackFiles\i386\imm32.dll
    2008-04-14 00:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-03-11_22.35.04.76 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
    + 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
    - 2007-06-12 07:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
    + 2008-11-11 18:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
    - 2009-02-19 23:09:57 98,256 ----a-w c:\windows\system32\FNTCACHE.DAT
    + 2009-03-12 03:09:25 98,256 ----a-w c:\windows\system32\FNTCACHE.DAT
    - 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
    + 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
    - 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
    + 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
    - 2007-08-11 04:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe
    + 2007-07-27 09:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
    - 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys
    + 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys
    - 2007-06-12 07:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
    + 2008-11-11 18:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
    + 2009-03-12 21:33:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2d4.dat
    + 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
    "C-Media Mixer"="Mixer.exe" [2002-10-16 c:\windows\mixer.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.avis"= ff_acm.acm

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-02-27 55152]
    S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-07 533360]
    S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2009-02-02 31872]
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-30e0e646530 - c:\windows\System32\ifxcardm32.dll
    Notify-__c003C3B1 - c:\windows\system32\__c003C3B1.dat


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-12 21:38:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\WgaTray.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-12 21:45:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-12 21:45:12
    ComboFix2.txt 2009-03-11 22:40:10

    Pre-Run: 47,530,020,864 bytes free
    Post-Run: 47,519,789,056 bytes free

    290 --- E O F --- 2009-03-12 03:02:39

  7. #7
    Junior Member
    Join Date
    Jan 2008
    Posts
    19

    Default

    the Bytes log

    Malwarebytes' Anti-Malware 1.34
    Database version: 1841
    Windows 5.1.2600 Service Pack 3

    3/12/2009 11:25:45 PM
    mbam-log-2009-03-12 (23-25-45).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 99029
    Time elapsed: 50 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 11
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 10

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\shoppingadshelper.browserwatcher (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingadshelper.browserwatcher.1 (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingadshelper.pornpro_bho (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingadshelper.pornpro_bho.1 (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingadshelper.precachebrowserhost (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingadshelper.precachebrowserhost.1 (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{af56fd81-28a2-0159-4922-1211155898a9} (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{913e9215-eb81-7e43-76e6-fc26e50e264c} (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\ShoppingAdsHelper (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Qoobox\Quarantine\C\WINDOWS\system32\10.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\22.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\33.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\35.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\5.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ifxcardm32.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{9A6248DF-E653-46A2-BC43-AAC820D0826E}\RP105\A0053040.exe (Rogue.PlayMp3s) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{9A6248DF-E653-46A2-BC43-AAC820D0826E}\RP117\A0068679.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{9A6248DF-E653-46A2-BC43-AAC820D0826E}\RP119\A0070960.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{9A6248DF-E653-46A2-BC43-AAC820D0826E}\RP54\A0021282.dll (Adware.Shopper) -> Quarantined and deleted successfully.

  8. #8
    Junior Member
    Join Date
    Jan 2008
    Posts
    19

    Default

    finally, the fresh HT

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:33:58 PM, on 3/12/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

    --
    End of file - 3769 bytes

  9. #9
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi s-t-n

    1 - Clean temp files

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:
      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Prefetch
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.

      if you use Firefox:
      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      if you use Opera:
      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


      Click Exit on the Main menu to close the program


    2 - Kaspersky Online Scan

    Please go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.


    3 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    4 - Status Check
    Please reply with

    1. the Kaspersky online scanner report
    2. a fresh HijackThis log
    How's the computer running now? Any problems?

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  10. #10
    Junior Member
    Join Date
    Jan 2008
    Posts
    19

    Default

    sorry this is taking so long Peku, i havent just run off without replying. having some internet troubles on the other computers network. I did manage to get Kaspersky to scan before it crashed, but i had no memory stick to transfer the log at that time. Ill reply again when i have the log. But i did see that Kaspersky found 7 infections. most of those were quarantined items from avast, or viruses in the system restore, but there was one still roaming free. a win32 virus/worm.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •