Page 1 of 4 1234 LastLast
Results 1 to 10 of 35

Thread: Picked up a virus, can't run Spybot

  1. #1
    Junior Member
    Join Date
    Aug 2009
    Posts
    19

    Default Picked up a virus, can't run Spybot

    My netbook started acting weird. lot's of browser redirects and something called "AV Care" plopped itself on my desktop and started squawking about viruses.

    I started Spybot but it stopped scanning and closed itself in mid-scan. It has not restarted since. I used Panda's on-line scan which said that I'm infected with Alureon.BB but that Panda cannot disinfect it. HELP!

    Thanks in advance,

    Greg


    Hijackthis log follows:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:11:51 PM, on 8/9/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\msb.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\DOCUME~1\Greg\LOCALS~1\Temp\b.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eeepc.asus.com/global
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\Greg\LOCALS~1\Temp\b.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: rncsys32.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1230231671609
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1230231648859
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    --
    End of file - 5298 bytes

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi copierguy.mobile

    Is this a personal computer?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Aug 2009
    Posts
    19

    Default

    Quote Originally Posted by Shaba View Post
    Hi copierguy.mobile

    Is this a personal computer?
    Hi Shaba,

    Yes, it's my personal netbook, it's an Asus.

    -Greg

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    So if it is, how would you explain these?

    They all indicate the fact that this is a work computer.

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Aug 2009
    Posts
    19

    Default

    Quote Originally Posted by Shaba View Post
    So if it is, how would you explain these?

    They all indicate the fact that this is a work computer.

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    Hi Shaba,

    I'm not sure why I have to explain what's running on my PC but here goes.

    I do work for Toshiba... and I have a company issued Toshiba Tecra (Toshiba's IT department does not issue Asus netbooks running XP home).

    When I travel, I do sometimes use my netbook to check my work email, which is on Lotus Notes [gag], so I have a VPN client installed so that I can read my email.

    Had I thought I needed to hide that, I certainly could have... I installed it.

    Please be assured that this is my personal netbook. If I were having trouble like this with a company PC... I would have called our help desk instead of coming here.

    -Greg

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    "I'm not sure why I have to explain what's running on my PC but here goes."

    Simple reason is our rules. Forum volunteers don't offer any help for corporate computers so that's why I needed to ask.

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix


    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Please include the C:\ComboFix.txt in your next reply for further review along with a fresh HijackThis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Junior Member
    Join Date
    Aug 2009
    Posts
    19

    Default

    Hi again,

    Thanks for helping me.

    I downloaded ERUNT, backed up my registry. Downloaded ComboFix and followed the instructions (closed all apps, checked for running anti-virus programs) but when I run ComboFix, nothing happens. I can see the process is started in task manager but after a few minutes, it goes away completely.

    -Greg

    Fresh Hijackthis log follows:

    Logfile of Trend Micro HijackThis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:22:16 AM, on 8/12/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\DOCUME~1\Greg\LOCALS~1\Temp\b.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\msb.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Greg\Desktop\ComboFix.exe
    C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eeepc.asus.com/global
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\Greg\LOCALS~1\Temp\b.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: rncsys32.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1230231671609
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1230231648859
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C38A5413-F50B-4F03-BB3E-825B2A29DC47}: NameServer = 66.174.95.44 69.78.96.14
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    --
    End of file - 5328 bytes

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please rename combofix.exe and let me know if it works now.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Junior Member
    Join Date
    Aug 2009
    Posts
    19

    Default

    Now were cooking!!!

    Combofix ran after renaming it.

    -Greg

    Combofix log follows:

    ComboFix 09-08-10.06 - Greg 08/12/2009 13:04.1.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1681 [GMT -4:00]
    Running from: c:\documents and settings\Greg\Desktop\cf.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\ALLUSE~1\APPLIC~1\13715154
    c:\docume~1\ALLUSE~1\APPLIC~1\13715154\13715154
    c:\docume~1\ALLUSE~1\APPLIC~1\13715154\13715154.exe
    c:\documents and settings\Greg\Application Data\wiaserva.log
    c:\documents and settings\Greg\Start Menu\Programs\Startup\rncsys32.exe
    c:\recycler\S-1-5-21-2297251999-738724385-1645878046-1003
    c:\recycler\S-1-5-21-504221711-2657588388-2843214241-1003
    c:\recycler\S-1-5-21-861567501-1202660629-1935655697-1003
    c:\windows\msa.exe
    c:\windows\run.log
    c:\windows\system32\drivers\SKYNETxoqgriwq.sys
    c:\windows\system32\drivers\UACfqxdpbdvym.sys
    c:\windows\system32\msxml71.dll
    c:\windows\system32\net.net
    c:\windows\system32\SKYNETatnnbscy.dat
    c:\windows\system32\SKYNETbfxiegbr.dat
    c:\windows\system32\SKYNETqhwlxelh.dll
    c:\windows\system32\SKYNETvmupjuyt.dll
    c:\windows\system32\uacinit.dll
    c:\windows\system32\UACjgwnshhssq.dll
    c:\windows\system32\UACkgxwjkvvwr.dll
    c:\windows\system32\UACoboxhllilr.dll
    c:\windows\system32\UACpieeetjpdt.dat
    c:\windows\system32\UACtdylkwoofj.dll
    c:\windows\system32\UACwwsppridmo.dll
    c:\windows\system32\UACxwftydaerh.db


    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_SKYNETdbawqpux
    -------\Legacy_SKYNETdbawqpux
    -------\Service_UACd.sys
    -------\Legacy_UACd.sys


    ((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
    .

    2009-08-12 13:44 . 2009-08-12 13:45 -------- d-----w- c:\program files\ERUNT
    2009-08-10 03:07 . 2009-08-10 03:07 -------- d-----w- c:\program files\Trend Micro
    2009-08-10 02:18 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2009-08-10 02:03 . 2009-08-10 02:01 144896 ----a-w- c:\windows\msb.exe
    2009-08-10 01:59 . 2009-08-10 02:00 -------- d-----w- c:\program files\AV Care
    2009-08-10 01:49 . 2009-08-10 01:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-08-07 14:16 . 2009-08-07 14:16 -------- d-sh--w- c:\documents and settings\Greg\IECompatCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-12 13:51 . 2008-12-25 20:44 1 ----a-w- c:\documents and settings\Greg\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2009-08-10 01:52 . 2008-12-25 19:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-08-07 18:40 . 2009-03-13 06:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-07-28 02:23 . 2009-02-12 21:10 -------- d-----w- c:\documents and settings\Greg\Application Data\gtk-2.0
    2009-07-25 19:09 . 2008-12-25 19:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2009-07-03 17:09 . 2008-08-09 14:32 915456 ----a-w- c:\windows\system32\wininet.dll
    2009-07-01 02:12 . 2008-12-31 14:11 1692 ----a-w- c:\documents and settings\Greg\Application Data\wklnhst.dat
    2009-06-16 14:36 . 2008-08-09 14:32 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-16 14:36 . 2008-08-09 14:32 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-16 12:59 . 2009-06-16 12:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Hewlett-Packard
    2009-06-16 12:49 . 2009-06-16 12:49 -------- d-----w- c:\program files\Hewlett-Packard
    2009-06-03 19:09 . 2008-08-09 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
    2009-05-25 04:24 . 2008-05-27 03:18 350208 ------w- c:\windows\system32\mssph.dll
    2008-05-07 23:34 . 2008-09-11 13:03 15523560 ----a-w- c:\program files\Install AiGuruU1 Skype Phone.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SuperHybridEngine.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk
    backup=c:\windows\pss\SuperHybridEngine.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    backup=c:\windows\pss\VPN Client.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Greg^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
    path=c:\documents and settings\Greg\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Greg^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
    path=c:\documents and settings\Greg\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
    backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Greg^Start Menu^Programs^Startup^rncsys32.exe]
    path=c:\documents and settings\Greg\Start Menu\Programs\Startup\rncsys32.exe
    backup=c:\windows\pss\rncsys32.exeStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "WLSetupSvc"=3 (0x3)
    "usnjsvc"=3 (0x3)
    "RoxWatch9"=2 (0x2)
    "RoxMediaDB9"=3 (0x3)
    "RoxLiveShare9"=2 (0x2)
    "Roxio Upnp Server 9"=2 (0x2)
    "Roxio UPnP Renderer 9"=3 (0x3)
    "OracleOraHome81ClientCache"=3 (0x3)
    "IviRegMgr"=2 (0x2)
    "iPod Service"=3 (0x3)
    "IDriverT"=3 (0x3)
    "gusvc"=3 (0x3)
    "Bonjour Service"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "mnmsrvc"=3 (0x3)
    "idsvc"=3 (0x3)
    "eBVServ"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/9/2009 10:18 PM 28544]
    R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [9/11/2008 7:17 AM 10752]
    R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [9/11/2008 6:18 PM 26112]
    R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [1/2/2002 3:51 PM 36864]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [1/15/2009 10:06 AM 29824]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [1/15/2009 10:06 AM 41344]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [1/15/2009 10:06 AM 39936]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [1/15/2009 10:06 AM 59776]
    S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [9/11/2008 10:42 PM 625024]
    S4 eBVServ;eBVServ;c:\program files\TOSHIBA\TOSHIBA e-BRIDGE Viewer\eBVServ.exe [5/11/2009 11:18 AM 86016]
    S4 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [10/19/2000 12:55 PM 411244]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    FF - ProfilePath - c:\docume~1\Greg\APPLIC~1\Mozilla\Firefox\Profiles\dv64qc1c.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.kroooz-cams.com/terry/netcam.jpg?1231339449142
    FF - plugin: c:\documents and settings\Greg\Application Data\Mozilla\Firefox\Profiles\dv64qc1c.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-12 13:10
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    Completion time: 2009-08-12 13:13
    ComboFix-quarantined-files.txt 2009-08-12 17:13

    Pre-Run: 64,346,140,672 bytes free
    Post-Run: 65,309,573,120 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    179 --- E O F --- 2009-07-30 12:21

  10. #10
    Junior Member
    Join Date
    Aug 2009
    Posts
    19

    Default

    Here's the Hijackthis log too:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:24:03 PM, on 8/12/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eeepc.asus.com/global
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1230231671609
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1230231648859
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C38A5413-F50B-4F03-BB3E-825B2A29DC47}: NameServer = 66.174.95.44 69.78.96.14
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tabs.toshiba.com
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    --
    End of file - 5135 bytes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •