 Virtumonde-vundo Infection-hijack This Log File |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jan 27 2008, 06:28 AM
Post
#16
|
|
|
Member  Group: Members Posts: 26 Joined: 23-January 08 Member No.: 185,474  |
Ok thanks to jpshortstuff and sUBs for your replies. Ok I managed to download the CF.exe and ran it and it worked and I have posted the Combo Fix log file and a new HiJackThis log file and I would very much appreciate any more input if either of you have any? The files I was particularly worried about were:- C:\WINDOWS\system32\fgjlm.ini C:\WINDOWS\system32\fgjlm.ini2 and C:\WINDOWS\system32\mlgjf.dll which had a registry entry in the HKLM\software\microsoft\windows\current version\explorer\browser helper objects\ This was particular interest to me as it was in the explorer folder and it is the explorer.exe that iis using 99% of the CPU usage and after looking quickly at the ComboFix log and with an uneducated eye the following interested me:- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> C:\WINDOWS\system32\mljgf.dll I Googled the mljgf.dll file and the fgjlm.ini and fgjlm.ini2 yesterday as I previously said and they came back as variants of Virtumonde. Any ideas guys as I think we're now getting somewhere? Thanks again for your help. Benny ComboFix 08-01-27.4 - Owner 2008-01-27 10:35:48.7 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.133 [GMT 0:00] Running from: C:\Documents and Settings\Owner\Desktop\CF.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Autorun.inf C:\WINDOWS\system32\fgjlm.ini C:\WINDOWS\system32\fgjlm.ini2 D:\Autorun.inf . ---- Previous Run ------- . C:\WINDOWS\system32\fgjlm.ini C:\WINDOWS\system32\fgjlm.ini2 C:\WINDOWS\system32\mcrh.tmp . ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-27 10:46 . 2008-01-27 10:53 371 --ahs---- C:\WINDOWS\system32\fgjlm.ini 2008-01-21 18:47 . 2008-01-21 21:47 <DIR> d-------- C:\VundoFix Backups 2008-01-17 21:42 . 2002-08-28 23:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys 2008-01-17 21:42 . 2003-01-20 17:23 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2008-01-17 21:42 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys 2008-01-17 21:42 . 2004-08-04 07:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys 2008-01-17 21:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll 2008-01-17 21:39 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys 2008-01-17 21:38 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll 2008-01-17 21:37 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys 2008-01-17 21:37 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys 2008-01-17 21:37 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys 2008-01-17 21:35 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys 2008-01-17 21:34 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys 2008-01-17 21:33 . 2003-01-20 17:04 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll 2008-01-17 21:32 . 2003-01-20 17:04 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-01-17 21:31 . 2003-01-20 17:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex 2008-01-17 21:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll 2008-01-17 21:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll 2008-01-17 21:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll 2008-01-17 21:28 . 2004-08-04 07:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys 2008-01-17 21:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys 2008-01-17 21:28 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys 2008-01-17 21:28 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\system32\dllcache\irmk7.sys 2008-01-17 21:28 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys 2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll 2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll 2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll 2008-01-17 21:28 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll 2008-01-17 21:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll 2008-01-17 21:25 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys 2008-01-17 21:24 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys 2008-01-17 21:23 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe 2008-01-17 21:22 . 2003-01-20 17:46 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll 2008-01-17 21:21 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys 2008-01-17 21:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys 2008-01-17 21:19 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys 2008-01-17 21:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys 2008-01-15 17:03 . 2008-01-15 18:13 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-14 23:18 . 2008-01-14 23:18 <DIR> d-------- C:\Program Files\Opera 2008-01-13 22:41 . 2008-01-25 20:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator 2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Program Files\Spyware Terminator 2008-01-13 21:55 . 2008-01-27 00:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator 2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2008-01-11 00:45 . 2008-01-11 00:45 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-09 21:23 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-09 02:25 . 2003-01-02 09:36 <DIR> d-a------ C:\Documents and Settings\Administrator\WINDOWS 2008-01-09 02:25 . 2003-01-02 11:40 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Symantec 2008-01-09 02:25 . 2003-01-02 09:33 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Sonic 2008-01-09 02:25 . 2003-01-02 09:38 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\SampleView 2008-01-09 02:25 . 2003-01-02 09:35 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\InterTrust 2008-01-06 16:05 . 2008-01-06 16:05 314,720 --a------ C:\WINDOWS\system32\mljgf.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-25 17:19 --------- d---a-w C:\Program Files\Common Files\Symantec Shared 2008-01-24 20:47 --------- d-----w C:\Program Files\SmartFTP 2008-01-24 20:46 --------- d-----w C:\Program Files\Viewpoint 2008-01-24 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-01-21 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-18 01:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-13 20:34 --------- d-----w C:\Program Files\Java 2008-01-12 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-01-12 16:00 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-01-12 11:22 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-01-08 18:59 --------- d-----w C:\Program Files\Lx_cats 2007-12-07 23:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent 2007-12-05 10:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-12-05 10:33 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2007-12-05 10:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-12-05 10:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-12-05 10:33 --------- d---a-w C:\Program Files\Symantec 2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys 2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys 2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys 2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat 2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat 2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat 2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf 2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf 2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-10-30 19:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll 2007-10-30 19:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2005-02-14 12:23 57,744 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2007-06-14 22:44 56 --sh--r C:\WINDOWS\system32\A07B39D1A5.sys 2007-06-14 22:44 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98697b10-7559-4601-ba26-60260b9a4c4b}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF157CD1-78DF-4539-B739-2F567D2BA293}] 2008-01-06 16:05 314720 --a------ C:\WINDOWS\system32\mljgf.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 11:21 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736] "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 03:02 61440] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 07:59 126976] "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592] "LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22 26248] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-04 01:44 4595712] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048] "combofix"="C:\ComboFix\kmd.exe" [2004-08-04 07:56 388608] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyxx] byxyyxx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljgf.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TomTom HOME.lnk] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TomTom HOME.lnk backup=C:\WINDOWS\pss\TomTom HOME.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor] --a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --a------ 2004-11-02 08:03 155648 C:\WINDOWS\System32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --a------ 2002-07-25 04:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] -ra------ 2001-07-10 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW] --a------ 2003-03-04 01:44 831557 C:\WINDOWS\system32\nview.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-03-04 01:44 323584 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] --a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe] --a------ 2007-03-14 15:52 3770024 C:\Program Files\TomTom HOME\TomTomHOME.exe R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys [2005-11-16 15:42] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34cc226c-7714-11db-927d-000e5038fc37}] \Shell\AutoRun\command - G:\InstallTomTomHOME.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ddce07-1e40-11dc-9413-000e5038fc37}] \Shell\AutoRun\command - H:\InstallTomTomHOME.exe *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2008-01-11 20:02:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK: . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 10:50:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\fgjlm.ini2 443 bytes scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180] -> C:\WINDOWS\system32\mljgf.dll PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> C:\WINDOWS\system32\mljgf.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . ************************************************************************** . Completion time: 2008-01-27 11:02:39 - machine was rebooted [Owner] ComboFix-quarantined-files.txt 2008-01-27 11:02:23 . 2008-01-23 23:50:27 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:07:50, on 27/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765 O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 8778 bytes |
 |
 
|
|
Jan 27 2008, 07:44 AM
Post
#17
|
|
 sUBs Group: HJT Team Posts: 2,266 Joined: 19-May 05 Member No.: 20,675 |
Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:
--------------- Open notepad and copy/paste the text in the quotebox below into it: CODE http://www.bleepingcomputer.com/forums/topic127278.html Collect:: C:\WINDOWS\system32\mljgf.dll File:: C:\WINDOWS\system32\fgjlm.ini C:\WINDOWS\system32\fgjlm.ini2 C:\WINDOWS\system32\mcrh.tmp Folder:: C:\VundoFix Backups C:\Program Files\Viewpoint C:\Documents and Settings\All Users\Application Data\Viewpoint Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98697b10-7559-4601-ba26-60260b9a4c4b}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF157CD1-78DF-4539-B739-2F567D2BA293}] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyxx] Save this as "CFScript"  Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4 --------------- Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html Answer Yes, when prompted to install an ActiveX component.
 --------------- In your next post, please include fresh logs from:
|
|
|
|
|
Jan 27 2008, 04:20 PM
Post
#18
|
|
|
Member Group: Members Posts: 26 Joined: 23-January 08 Member No.: 185,474 |
Hi sUBs and jpshortstuff,
I know I keep saying it but thanks again for all your help which is greatly appreciated. Okay. I deleted Viewpoint and then copied and pasted the text you gave me into notepad, saved it to the Desktop and dragged it into ComboFix as you requested and it ran the program successfully and I have copied and pasted that text file with this post. I also sent the ZIP file that you asked me to send to the URL that you posted. I then ran the Kaspersky Online scanner to your instructions and I have posted that also with this post. Lastly I did another HiJackThis log just before typing out this out and that is with this post also. The logs are posted in the order you requested them i.e. :- 1). HiJackThis 2). Kaspersky Online Scanner 3). ComboFix Log File As for how the computer is reacting now then it is a bit early to tell as there have been times before when I thought it had all gone away (like after the first Vundo Fix scan) and the explorer.exe file was not using 99% of the CPU only for it to come back so I'll see what happens this evening and let you know. Again I'd welcome any thoughts that you might have and any more help would be appreciated also. Thanks again. Benny Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:07:33, on 27/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765 O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.94 195.92.195.95 O17 - HKLM\System\CS1\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.94 195.92.195.95 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 10227 bytes ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, January 27, 2008 9:02:00 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 27/01/2008 Kaspersky Anti-Virus database records: 534146 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 110379 Number of viruses found: 3 Number of infected objects: 29 Number of suspicious objects: 0 Duration of the scan process: 02:43:56 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-27_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\4E33B026.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\D81AB33A.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ba .. ... /[From "Volksbanken Raiffeisenbanken" <custsupport_9806604539ib@vr-networld.de ... /html Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ba .. ... /[From "Volksbanken Raiffeisenbanken" <custsupport_9806604539ib@vr-networld.de>]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ba ... /[From "tim" <nuttingzh@arcusabsorbents.com>][Date Mon, 13 Nov 2006 23:12:54 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ban ... /[From ... /[From detail" <xvdxuetjt@alltel.net>][Date 13 Nov 2006 12:22:46 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ban ... /[From "mandy blake" <cheekydoll6@hotmail.com>][Date Sun, 24 Sep 2006 16:13:32 +0000]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Banking" <online-support_id ... /[From "Mirella Arnot" <angharadstiv@iris-inspection.com>]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Banking" <online-support_id_006099446153id@barclays.com>][Date 19 Sep 2006 04:59:42 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... ... /[From "Afua Jayne" <gethstorry@accessamg.com>][Date Mon, 18 Sep 2006 13:36:44 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... ... /[From "Signe Stauber" <hyselleboa@finisar.com>][Date Mon, 18 Sep 2006 08:39:45 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C ... /[From "" <izxip@telnor.net>][Date Mon, 18 Sep 2006 11:47:31 +0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C .. ... /[From <mail@thehubpeople.com>][Date Mon, 18 Sep 2006 15:01:48 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C ... /[From But ... /[From "Barclays IBank" <supprefnum98123id@barclays.com>]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C ... /[From Butcher" <jvancecpa@1-stopnet.com>][Date 18 Sep 2006 02:02:38 +0180]/html Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri Cordray" <tueposton@bonsackbaptist.org>][Date Sun, 17 Sep 2006 15:50:25 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... /[From ... /[From "Irenka Cargo" <gretaslusher@acun.com>][Date Sat, 16 Sep 2006 17:28:32 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... /[From ... /[From "Get the" <mitizckse@shawcable.net>][Date Sat, 16 Sep 2006 13:00:28 +0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... /[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Thu, 14 Sep 2006 15:17:58 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Support" <support@ ... /[From "rick lezemore" <ninja1rl@hotmail.co.uk>][Date Thu, 07 Sep 2006 22:11:53 +0100]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Support" <support@formmail.com>][Date Mon, 17 Apr 2006 12:13:00 -0600]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 23 skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped C:\QooBox\Quarantine\C\VundoFix Backups\ahgxvyja.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped C:\QooBox\Quarantine\C\VundoFix Backups\ojwtkpca.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped C:\QooBox\Quarantine\C\VundoFix Backups\rrjyobrk.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped C:\QooBox\Quarantine\C\VundoFix Backups\rslrwula.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped C:\QooBox\Quarantine\C\VundoFix Backups\rwfohjrv.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{69EE390C-99FC-4477-AB84-45CF4B9BFD7E}\RP9\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. ComboFix 08-01-23.1B - Owner 2008-01-27 16:56:27.8 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.63 [GMT 0:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\fgjlm.ini C:\WINDOWS\system32\fgjlm.ini2 C:\WINDOWS\system32\mcrh.tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Viewpoint C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1002466322.mts C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-293628968.swf C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\253621806.mtx C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\964329184_1.mts C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-299397824.swf C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1991437604.swf C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\501407029.mtz C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-850653353.mtj&p2=0&p3=05904293139052970165172212541909&p4=0 C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1859761695.swf C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1850579979.swf C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\670487064.swf C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx C:\VundoFix Backups C:\VundoFix Backups\ahgxvyja.dll.bad C:\VundoFix Backups\ojwtkpca.dll.bad C:\VundoFix Backups\rrjyobrk.dll.bad C:\VundoFix Backups\rslrwula.dll.bad C:\VundoFix Backups\rwfohjrv.dll.bad C:\WINDOWS\system32\fgjlm.ini C:\WINDOWS\system32\fgjlm.ini2 C:\WINDOWS\system32\mljgf.dll . ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-24 21:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-17 21:42 . 2002-08-28 23:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys 2008-01-17 21:42 . 2003-01-20 17:23 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2008-01-17 21:42 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys 2008-01-17 21:42 . 2004-08-04 07:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys 2008-01-17 21:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll 2008-01-17 21:39 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys 2008-01-17 21:38 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll 2008-01-17 21:37 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys 2008-01-17 21:37 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys 2008-01-17 21:37 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys 2008-01-17 21:35 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys 2008-01-17 21:34 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys 2008-01-17 21:33 . 2003-01-20 17:04 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll 2008-01-17 21:32 . 2003-01-20 17:04 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-01-17 21:31 . 2003-01-20 17:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex 2008-01-17 21:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll 2008-01-17 21:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll 2008-01-17 21:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll 2008-01-17 21:28 . 2004-08-04 07:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys 2008-01-17 21:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys 2008-01-17 21:28 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys 2008-01-17 21:28 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\system32\dllcache\irmk7.sys 2008-01-17 21:28 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys 2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll 2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll 2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll 2008-01-17 21:28 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll 2008-01-17 21:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll 2008-01-17 21:25 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys 2008-01-17 21:24 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys 2008-01-17 21:23 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe 2008-01-17 21:22 . 2003-01-20 17:46 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll 2008-01-17 21:21 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys 2008-01-17 21:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys 2008-01-17 21:19 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys 2008-01-17 21:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys 2008-01-15 17:03 . 2008-01-15 18:13 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-14 23:18 . 2008-01-14 23:18 <DIR> d-------- C:\Program Files\Opera 2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Program Files\Spyware Terminator 2008-01-11 00:45 . 2008-01-11 00:45 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-09 21:23 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 11:24 --------- d---a-w C:\Program Files\Common Files\Symantec Shared 2008-01-24 20:47 --------- d-----w C:\Program Files\SmartFTP 2008-01-13 20:34 --------- d-----w C:\Program Files\Java 2008-01-12 11:22 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-01-08 18:59 --------- d-----w C:\Program Files\Lx_cats 2007-12-05 10:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-12-05 10:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-12-05 10:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-12-05 10:33 --------- d---a-w C:\Program Files\Symantec 2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys 2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys 2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys 2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat 2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat 2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat 2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf 2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf 2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf 2007-06-14 22:44 56 --sh--r C:\WINDOWS\system32\A07B39D1A5.sys 2007-06-14 22:44 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 11:21 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736] "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 03:02 61440] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 07:59 126976] "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592] "LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22 26248] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-04 01:44 4595712] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljgf.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TomTom HOME.lnk] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TomTom HOME.lnk backup=C:\WINDOWS\pss\TomTom HOME.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor] --a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --a------ 2004-11-02 08:03 155648 C:\WINDOWS\System32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --a------ 2002-07-25 04:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] -ra------ 2001-07-10 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW] --a------ 2003-03-04 01:44 831557 C:\WINDOWS\system32\nview.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-03-04 01:44 323584 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] --a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe] --a------ 2007-03-14 15:52 3770024 C:\Program Files\TomTom HOME\TomTomHOME.exe R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys [2005-11-16 15:42] S4 Propsprt;Propsprt;C:\WINDOWS\System32\drivers\modem.sys [2004-08-04 06:08] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34cc226c-7714-11db-927d-000e5038fc37}] \Shell\AutoRun\command - G:\InstallTomTomHOME.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ddce07-1e40-11dc-9413-000e5038fc37}] \Shell\AutoRun\command - H:\InstallTomTomHOME.exe *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2008-01-11 20:02:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK: . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 17:17:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-27 17:31:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-27 17:31:36 ComboFix2.txt 2008-01-27 11:02:41 . 2008-01-23 23:50:27 --- E O F --- |
|
|
|
|
Jan 27 2008, 04:39 PM
Post
#19
|
|
|
sUBs Group: HJT Team Posts: 2,266 Joined: 19-May 05 Member No.: 20,675 |
This is an infected email which you need to manaully delete from your Thunderbird's Inbox:
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox /[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)] ------------- Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: CODE @echo off swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >log.txt swreg add "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" /v reg_multi_sz /d msv1_0 echo.>>log.txt echo.============>>log.txt echo.>>log.txt swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >>log.txt Start Notepadlog.txt Nircmd wait 1500 del log.txt del %0 Save this as fix.bat Choose to "Save type as - All Files" It should look like this:  Double click on fix.bat & allow it to run Post back to tell me what it says |
|
|
|
|
Jan 28 2008, 11:43 AM
Post
#20
|
|
|
Member Group: Members Posts: 26 Joined: 23-January 08 Member No.: 185,474 |
Hi sUBs,
Ok I have deleted the file manually as you suggested and I saved the file fix.bat as you said but I think there was a problem with that as an error box come up and whatever it was running appeared to abort so I'm not sure what that was all about. Anyway. After yesterdays actions that you so kindly talked me through then my computer does appear to be back to as it was before the Vundo/Virtumonde infection and the explorer.exe file is running at it's normal CPU usage. Therefore I take it that no further action is needed and everything is ok? Would that be correct? Regards Benny |
|
|
|
|
Jan 28 2008, 04:40 PM
Post
#21
|
|
|
sUBs Group: HJT Team Posts: 2,266 Joined: 19-May 05 Member No.: 20,675 |
QUOTE an error box come up and whatever it was running appeared to abort Sorry about that. I just noted a typo in my script. Did it create a logfile named Log.txt next to the batchfile? |
|
|
|
|
Jan 28 2008, 04:57 PM
Post
#22
|
|
|
Member Group: Members Posts: 26 Joined: 23-January 08 Member No.: 185,474 |
Thanks for your reply.
Yes it did but when the fix.bat aborted and closed the window it deleted the fix.bat and the log file on it's own accord from the desktop although I'm not sure why or how it did that. Do you want me to run that script again and if so what was the typo? Benny |
|
|
|
|
Jan 28 2008, 05:06 PM
Post
#23
|
|
|
sUBs Group: HJT Team Posts: 2,266 Joined: 19-May 05 Member No.: 20,675 |
Please run this new script
CODE @echo off
swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >log.txt swreg add "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" /v reg_multi_sz /d msv1_0 echo.>>log.txt echo.============>>log.txt echo.>>log.txt swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >>log.txt Start Notepad log.txt Nircmd wait 1500 del log.txt del %0 |
|
|
|
|
Jan 28 2008, 06:21 PM
Post
#24
|
|
|
Member Group: Members Posts: 26 Joined: 23-January 08 Member No.: 185,474 |
Ok thanks for your post.
I ran the fix.bat and here is the log file:- SteelWerX Registry Console Tool 2.0 Written by Bobbi Flekman 2006 © HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa authentication packages REG_MULTI_SZ msv1_0\0C:\WINDOWS\system32\mljgf.dll\0\0 ============ SteelWerX Registry Console Tool 2.0 Written by Bobbi Flekman 2006 © HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa authentication packages REG_MULTI_SZ msv1_0\0C:\WINDOWS\system32\mljgf.dll\0\0 |
|
|
|
|
Jan 28 2008, 06:24 PM
Post
#25
|
|
|
sUBs Group: HJT Team Posts: 2,266 Joined: 19-May 05 Member No.: 20,675 |
Log looks awful. Please delete your existing copy of ComboFix.exe. Grab a new copy from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe Then post a fresh log |
|
|
|
|
Jan 28 2008, 06:48 PM
Post
#26
|
|
|
Member Group: Members Posts: 26 Joined: 23-January 08 Member No.: 185,474 |
Ok will do.
It looks awful in what way? You've got me worried now as I thought everything was fine. Benny |
|
|
|
|
Jan 28 2008, 07:24 PM
Post
#27
|
|
|
sUBs Group: HJT Team Posts: 2,266 Joined: 19-May 05 Member No.: 20,675 |
Benny, where's the log?
|
|
|
|
|
Jan 28 2008, 07:30 PM
Post
#28
|
|
|
Member Group: Members Posts: 26 Joined: 23-January 08 Member No.: 185,474 |
I have included the new ComboFix log and another HiJackThis in case you need that.
I noticed that on this Combo Fix it only completed 38 satges compared to 40 stages before and that after Stage 30 it said: SED: Can't read temp0w: No such file or directory. Whilst running Combo Fix it also tried to change my Default Search engine settings (or something did). I don't know if any of these are relevant. Your help as always is appreciated. Benny ComboFix 08-01-29.2 - Owner 2008-01-28 23:51:51.9 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-27 17:48 . 2008-01-27 17:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-01-27 17:48 . 2008-01-27 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-01-17 21:42 . 2002-08-28 23:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys 2008-01-17 21:42 . 2003-01-20 17:23 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2008-01-17 21:42 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys 2008-01-17 21:42 . 2004-08-04 07:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys 2008-01-17 21:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll 2008-01-17 21:39 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys 2008-01-17 21:38 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll 2008-01-17 21:37 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys 2008-01-17 21:37 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys 2008-01-17 21:37 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys 2008-01-17 21:35 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys 2008-01-17 21:34 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys 2008-01-17 21:33 . 2003-01-20 17:04 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll 2008-01-17 21:32 . 2003-01-20 17:04 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-01-17 21:31 . 2003-01-20 17:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex 2008-01-17 21:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll 2008-01-17 21:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll 2008-01-17 21:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll 2008-01-17 21:28 . 2004-08-04 07:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys 2008-01-17 21:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys 2008-01-17 21:28 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys 2008-01-17 21:28 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\system32\dllcache\irmk7.sys 2008-01-17 21:28 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys 2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll 2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll 2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll 2008-01-17 21:28 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll 2008-01-17 21:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll 2008-01-17 21:25 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys 2008-01-17 21:24 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys 2008-01-17 21:23 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe 2008-01-17 21:22 . 2003-01-20 17:46 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll 2008-01-17 21:21 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys 2008-01-17 21:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys 2008-01-17 21:19 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys 2008-01-17 21:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys 2008-01-15 17:03 . 2008-01-15 18:13 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-14 23:18 . 2008-01-14 23:18 <DIR> d-------- C:\Program Files\Opera 2008-01-13 22:41 . 2008-01-25 20:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator 2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Program Files\Spyware Terminator 2008-01-13 21:55 . 2008-01-27 00:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator 2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2008-01-11 00:45 . 2008-01-11 00:45 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-09 21:23 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-09 02:25 . 2003-01-02 09:36 <DIR> d-a------ C:\Documents and Settings\Administrator\WINDOWS 2008-01-09 02:25 . 2003-01-02 11:40 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Symantec 2008-01-09 02:25 . 2003-01-02 09:33 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Sonic 2008-01-09 02:25 . 2003-01-02 09:38 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\SampleView 2008-01-09 02:25 . 2003-01-02 09:35 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\InterTrust . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-28 23:50 --------- d---a-w C:\Program Files\Common Files\Symantec Shared 2008-01-28 23:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-28 10:43 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-01-24 20:47 --------- d-----w C:\Program Files\SmartFTP 2008-01-21 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-13 20:34 --------- d-----w C:\Program Files\Java 2008-01-12 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-01-08 18:59 --------- d-----w C:\Program Files\Lx_cats 2007-12-07 23:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent 2007-12-05 10:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-12-05 10:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-12-05 10:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-12-05 10:33 --------- d---a-w C:\Program Files\Symantec 2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys 2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys 2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys 2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat 2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat 2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat 2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf 2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf 2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf 2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe 2005-02-14 12:23 57,744 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2007-06-14 22:44 56 --sh--r C:\WINDOWS\system32\A07B39D1A5.sys 2007-06-14 22:44 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 11:21 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736] "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 03:02 61440] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 07:59 126976] "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592] "LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22 26248] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-04 01:44 4595712] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljgf.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TomTom HOME.lnk] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TomTom HOME.lnk backup=C:\WINDOWS\pss\TomTom HOME.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor] --a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --a------ 2004-11-02 08:03 155648 C:\WINDOWS\System32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --a------ 2002-07-25 04:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] -ra------ 2001-07-10 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW] --a------ 2003-03-04 01:44 831557 C:\WINDOWS\system32\nview.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-03-04 01:44 323584 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] --a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe] --a------ 2007-03-14 15:52 3770024 C:\Program Files\TomTom HOME\TomTomHOME.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34cc226c-7714-11db-927d-000e5038fc37}] \Shell\AutoRun\command - G:\InstallTomTomHOME.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ddce07-1e40-11dc-9413-000e5038fc37}] \Shell\AutoRun\command - H:\InstallTomTomHOME.exe *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2008-01-11 20:02:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK: . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 00:06:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . ************************************************************************** . Completion time: 2008-01-30 0:19:14 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-30 00:18:57 ComboFix2.txt 2008-01-27 17:31:47 ComboFix3.txt 2008-01-27 11:02:41 . 2008-01-23 23:50:27 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:21:14, on 30/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765 O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 9853 bytes |
|
|
|
|
Jan 28 2008, 08:09 PM
Post
#29
|
|
|
sUBs Group: HJT Team Posts: 2,266 Joined: 19-May 05 Member No.: 20,675 |
QUOTE Whilst running Combo Fix it also tried to change my Default Search engine settings (or something did). How did you become aware of that? |
|
|
|
|
Jan 28 2008, 08:19 PM
Post
#30
|
|
|
Member Group: Members Posts: 26 Joined: 23-January 08 Member No.: 185,474 |
I noticed it in the systems tray at the bottom right where the start up programs have their icons. A white icon with G for Google appeared and when I ran the mouse over the top of it, it said we have blocked an attempt to change your default search settings (or something very similar).
When ComboFix restarted that same icon was there again. It never usually is and it's happened a couple of times using ComboFix and it happened once recently whilst using the computer normally. I can't say that I've seen this too many times whilst I've had this computer. Maybe never but I wouldn't quite be sure it was never. I take it that it's part of the Google Toolbar Notifier process? Again I don't know if this is relevant but I thought I'd post it and let you decide that? Benny |
|
|
|
|
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 07:15 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.