thanks for all ur help ken.
will get back to u at AM to post the scan log.
regards
thanks for all ur help ken.
will get back to u at AM to post the scan log.
regards
Ok Thanks ,
Just want to point out that one of the files that showed up on your Combofix log is a BACKDOOR TROJAN ( now can you see why I ask to see the logs )that is responsible for letting all this garbage in , so I would suggest that until I give you the all clear that except for posting here that you stay off the internet.
It looks like SAS may remove that trojan ??? so post the log from SAS and a new HJT log
Ken
Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014
ERROR MESSAGE 386
No KeyBoard Detected
Press F1 To Continue
Just a reminder that threads will be closed if no reply in 3 days.
hi ken,
this is the log generated afetr rebooting
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/20/2007 at 02:25 AM
Application Version : 3.9.1008
Core Rules Database Version : 3363
Trace Rules Database Version: 1362
Scan type : Complete Scan
Total Scan Time : 00:44:43
Memory items scanned : 392
Memory threats detected : 0
Registry items scanned : 6171
Registry threats detected : 3
File items scanned : 48768
File threats detected : 26
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{76F262CF-0308-0FB4-F7A3-043266F3A47C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76F262CF-0308-0FB4-F7A3-043266F3A47C}
HKCR\CLSID\{76F262CF-0308-0FB4-F7A3-043266F3A47C}
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\jackthetripper@tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\jackthetripper@2o7[2].txt
Trojan.Downloader-Gen/AVP
C:\PROGRAM FILES\LSASS.EXE
Malware.Ultimate Defender
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JUVPRPBA\JUVPRPBA1.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JUVPRPBA\JUVPRPBA3.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NJPRCKHA\NJPRCKHA1.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NJPRCKHA\NJPRCKHA3.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP894\A0117957.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP894\A0117958.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP894\A0117959.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP894\A0117960.EXE
Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WAPICC.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117545.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117593.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP894\A0117956.EXE
Trojan.Downloader-Gen/MobRules
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP886\A0117002.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP886\A0117278.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP887\A0117383.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117488.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117489.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117490.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117544.DLL
Adware.E404 Helper/Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117535.DLL
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117571.DLL
Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117573.DLL
Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34AB50A6-249E-41BD-87AD-2FD0F4B201B8}\RP888\A0117591.EXE
as u requested this is the log after running SAS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:18:39, on 20/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {88A90170-7663-498D-962F-488E5297C0B6} - (no file)
O2 - BHO: (no name) - {91A1B062-D216-428D-A2F2-C45DE13B5138} - (no file)
O2 - BHO: {99144766-64fe-1b5a-a384-e9e3ebf50479} - {97405fbe-3e9e-483a-a5b1-ef4666744199} - (no file)
O2 - BHO: (no name) - {C38BFE4C-68DB-4A0D-8F5D-3FE670800893} - (no file)
O2 - BHO: (no name) - {FA8FACF2-EFA2-489C-ABB9-A9EB276CD194} - (no file)
O3 - Toolbar: Athens Toolbar - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.com/wfplayer/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...uish_load.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444552540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553518000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seek...bridge-c24.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtttus - C:\WINDOWS\
O20 - Winlogon Notify: winbue32 - C:\WINDOWS\
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7929 bytes
Good Morning,
Trojan.Downloader-Gen/AVP
C:\PROGRAM FILES\LSASS.EXE <-- This was your backdoor and it looks like it was removed.
Next step.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
Save this as CFScript to your desktop.File::
C:\WINDOWS\system32\mcrh.tmp
C:\Documents and Settings\All Users\Application Data\ghwjwbon.dll
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F262CF-0308-0FB4-F7A3-043266F3A47C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88A90170-7663-498D-962F-488E5297C0B6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91A1B062-D216-428D-A2F2-C45DE13B5138}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97405fbe-3e9e-483a-a5b1-ef4666744199}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C38BFE4C-68DB-4A0D-8F5D-3FE670800893}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA8FACF2-EFA2-489C-ABB9-A9EB276CD194}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtttus]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ghwjwbon]
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014
ERROR MESSAGE 386
No KeyBoard Detected
Press F1 To Continue
Just a reminder that threads will be closed if no reply in 3 days.
Just want to give you a heads up so you don't get into trouble. In windows, you cannot have two files the same name in the same location, if you look on the top part of your HJT log you will see this.
C:\WINDOWS\system32\lsass.exe <-- This is legit and your system won't run without it, do not delete it.
C:\PROGRAM FILES\LSASS.EXE <-- This is the trojan, virus writters make it look legit by naming a bad file lsass.exe and placing it here.
Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014
ERROR MESSAGE 386
No KeyBoard Detected
Press F1 To Continue
Just a reminder that threads will be closed if no reply in 3 days.
Hi ken
this is the combo fix log after executing the CFScript.txt file
ComboFix 07-12-19.2 - Jackthetripper 2007-12-20 17:36:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.127 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Documents and Settings\All Users\Application Data\ghwjwbon.dll
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))
.
2007-12-20 01:37 . 2007-12-20 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 01:36 . 2007-12-20 17:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-20 01:36 . 2007-12-20 01:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-19 20:58 . 2007-12-19 20:58 <DIR> d-------- C:\Program Files\AntiPlagiarist
2007-12-17 22:38 . 2007-12-17 22:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-17 22:38 . 2007-12-17 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-17 22:05 . 2007-12-17 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-17 18:55 . 2007-12-17 18:55 <DIR> d-------- C:\Program Files\Opera 9.5 beta
2007-11-27 21:14 . 2007-11-27 21:14 0 --a------ C:\WINDOWS\iPlayer.INI
2007-11-26 20:32 . 2007-11-26 20:32 <DIR> d-------- C:\Program Files\uTorrent
2007-11-26 20:32 . 2007-12-14 16:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 01:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 07:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-22 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 14:15 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2007-11-09 14:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-30 11:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-23 03:01 23,176 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-23 03:00 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-23 01:45 --------- d-----w C:\Program Files\Java
2007-10-22 20:02 --------- d-----w C:\Program Files\Winamp
2005-01-31 07:56 712,704 ----a-w C:\WINDOWS\inf\OTHER\audio3d.dll
2006-03-13 02:26 104 --sh--r C:\WINDOWS\system32\58D71E58F9.sys
2006-03-13 02:26 11,690 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2007-12-19_22.33.57.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-20 01:36:57 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-20 01:36:57 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-20 01:36:57 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2005-05-04 14:45:36 15,360 -c--a-w C:\WINDOWS\system32\dllcache\msisip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 16:06]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-01 12:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-01 11:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-19 20:53]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.exe" [2006-08-11 14:42 C:\WINDOWS\MIDIDEF.EXE]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 00:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 12:22]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22]
S3 W8335XP;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;C:\WINDOWS\system32\DRIVERS\Mrv8000c.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db129c3f-7cd7-11da-874c-000d60b3f000}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 17:39:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2007-12-20 17:40:13
C:\ComboFix2.txt ... 2007-12-20 17:27
.
2007-12-18 07:24:59 --- E O F ---
and this is the HJT log requested.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:42:30, on 20/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Athens Toolbar - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.com/wfplayer/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...uish_load.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444552540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553518000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seek...bridge-c24.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7437 bytes
hi ken
ive also noticed a zangocash entry in HJT file? just wondering if that will be a problem and any way of deleting that if at all necessary..coz as for as im aware it's not somehting i installed!
thanks
Yep,
You can remove these with HJT. These are things you do not want on your system.
Open Hijackthis to Scan Only, close all open windows including this one , place a checkmark in the following entries and click on Fix Checked.
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...uish_load.html
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seek...bridge-c24.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
You can run this system cleaner,
Please download ATF Cleaner by Atribune to your desktop.
- This program is for XP and Windows 2000 only
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Reboot your system
You may have some bad entries in your System Restore Program, do this to flush it all out.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
- Right-click My Computer.
- Click Properties.
- Click the System Restore tab.
- Check Turn off System Restore on all Drives.
- Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
- Right-click My Computer.
- ClickProperties.
- Click the System Restore tab.
- UN-Check Turn off System Restore on all Drives.
- Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
- Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial <-- If you need it
The rest of your log looks fine How are things running now?????
Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014
ERROR MESSAGE 386
No KeyBoard Detected
Press F1 To Continue
Just a reminder that threads will be closed if no reply in 3 days.