 Worm.agent.i Smtpdrv.sys, unable to remove malware creating smtpdrv.sys |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jan 1 2008, 06:30 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 11 Joined: 30-December 07 Member No.: 180,026  |
e.g. Trojan.kobcka.CB, C:\Temp\card.scr, 5_exception.nls As well as recently installed (i.e. after infection) AV stuff (details follow soon) I have also run: BitDefender - which found Trojan.kobcka.CB I have installed: ZoneAlarm ver = 7.0.462.000, Sec Eng = 7.0.462.000, Driver = 7.0.462.000 AVG AntiSpyware 7.5 last update 1/1/2008 AVG Free Edition DB = 269.17.12/1203 Spy Emergency 2007 Build = 4.0.355.0 SpyBot TeaTimer Spybot Resident 1.5.0.9 I start up the computer, without network cable. I run AVG AS special scan in C:\Windows\Drivers - No sign of smtpdrv.sys I insert network cable (with access to internet) after about 1 minute: Run AVG AS special scan in C:\Windows\Drivers get Worm.Agent.I in C:\Windows\System23\Drivers\smtpdrv.sys I have quarantined this many times, but it keeps coming back! I use this as my test whether the malware has gone - it hasn't. ------------ This is followed (perhaps 1 minute later) by popup message ------------ Generic Host Process for Win32 Services Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience. Error Report ... Error Signature szAppname : svchost.exe szAppVer : 5.1.2600.2180 szModName : user32.dll szModVer : 5.1.2600.3099 offset : 0000ccbe ================ This is followed after about 10 minutes by popup message: ---------------- Microsoft Visual C++ Runtime Library Runtime Error! Prgroam: C:\Program Files\Internet Explorer\IEXPLORE.EXE This applicatiopn has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. ================ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:17:09 a.m., on 2/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\WINDOWS\system32\rundll32.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woosh.com/ContentClient/Home/Home.aspx R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/rdrmessage_CPDFO4_ENU O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [SetDefaultPrinter] c:\hp\bin\cloaker.exe c:\windows\system32\cmd.exe /c c:\hp\bin\defaultprinter\SetDefaultPrinter.cmd O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergency.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198455904937 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198456523515 O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Spy Emergency Shield Service (SpyEmrgSrv) - NETGATE Technologies s.r.o. - C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergencySrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) -- End of file - 11050 bytes |
 |
 
|
|
Jan 10 2008, 05:19 AM
Post
#2
|
|
 Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975 |
Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems. Apologies for the late response,as i'm sure you can appreciate we are absolutely snowed under with logs. If you still require help,please post a new Hijackthis log into your next reply. -------------------- If I have helped you in any way, please consider a donation:
 Proud Member of ASAP (Alliance of Security Analysis Professionals). Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators). |
|
|
|
|
Jan 10 2008, 01:17 PM
Post
#3
|
|
|
New Member Group: Members Posts: 11 Joined: 30-December 07 Member No.: 180,026 |
Thank you; here's the log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:09:16 a.m., on 11/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\WINDOWS\system32\rundll32.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\ALCXMNTR.EXE c:\windows\system\hpsysdrv.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woosh.com/ContentClient/Home/Home.aspx R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/rdrmessage_CPDFO4_ENU O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [SetDefaultPrinter] c:\hp\bin\cloaker.exe c:\windows\system32\cmd.exe /c c:\hp\bin\defaultprinter\SetDefaultPrinter.cmd O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergency.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198455904937 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198456523515 O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Spy Emergency Shield Service (SpyEmrgSrv) - NETGATE Technologies s.r.o. - C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergencySrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) -- End of file - 10817 bytes |
|
|
|
|
Jan 10 2008, 01:31 PM
Post
#4
|
|
|
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975 |
Disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender. * Click on 'Tools'>'Options'. * Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box * Click 'Save'. Please disable Spybot S&D’s protection,or it will interfere. You can enable it after you're clean. Open Spybot and click on 'Mode' and check 'Advanced Mode'. Click on 'Tools' in bottom left hand corner. Click on the 'System Startup' icon. Uncheck 'Teatimer' box and/or uncheck 'Resident'. Click the 'Allow Change' box. Then, check next to the computer clock to see if the icon for Spybot is still there. If it is, right click it and choose 'exit Spybot-S&D Resident'. Restart the computer. If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below: http://www.russelltexas.com/malware/teatimer.htm Download SDFix.exe and save it to your desktop: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe * Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following: * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, a menu with options should appear; * Select the first option, to run Windows in Safe Mode, then press "Enter". * Choose your usual account. * In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script. * Type Y to begin the script. * It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * Your system will take longer that normal to restart as the fixtool will be running and removing files. * When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. * Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply. If you have previously downloaded ComboFix,please delete that version now. Warning You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert,not for private use. Using this tool incorrectly could render your system/pc inoperable. Now download Combofix by sUBs and save to your desktop: Note It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask. Note In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again. Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them. Also post a new Hijackthis log please. -------------------- If I have helped you in any way, please consider a donation:
Proud Member of ASAP (Alliance of Security Analysis Professionals). Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators). |
|
|
|
|
Jan 10 2008, 03:50 PM
Post
#5
|
|
|
New Member Group: Members Posts: 11 Joined: 30-December 07 Member No.: 180,026 |
As this requires connecting to internet, I have created a dummy C:\Windows\System32\Drivers\smtpdrv.sys to stop me broadcasting spam to everyone and having me blocked from my email server as a compromised IP address.
It's trying to download Trojan Generic9.ANCM QUOTE(RichieUK @ Jan 11 2008, 07:31 AM)  Disable Windows Defender's real-time protection,as it may interfere. * Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender. * Click on 'Tools'>'Options'. * Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box * Click 'Save'. Y QUOTE Please disable Spybot S&D’s protection,or it will interfere. You can enable it after you're clean. Open Spybot and click on 'Mode' and check 'Advanced Mode'. Y QUOTE Click on 'Tools' in bottom left hand corner. Y *** I also uncheck 'Resident' box here QUOTE Click on the 'System Startup' icon. Y This gives list of Registry/Startup/WinLogon startups QUOTE Uncheck 'Teatimer' box and/or uncheck 'Resident'. CANNOT DO - no such options. Running SpyBot - Search & Destroy 1.5.1.15 QUOTE Click the 'Allow Change' box. CANNOT DO - no such options. Running SpyBot - Search & Destroy 1.5.1.15 QUOTE Then, check next to the computer clock to see if the icon for Spybot is still there. If it is, right click it and choose 'exit Spybot-S&D Resident'. Also disable "Resident protection" here QUOTE Restart the computer. If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below: http://www.russelltexas.com/malware/teatimer.htm TeaTimer does not appear in Process List QUOTE Download SDFix.exe and save it to your desktop: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe * Double click on SDFix on your desktop,and install the fix to C:\ Y QUOTE Please then reboot your computer into Safe Mode by doing the following: * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, a menu with options should appear; * Select the first option, to run Windows in Safe Mode, then press "Enter". * Choose your usual account. Y QUOTE * In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script. * Type Y to begin the script. * It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * Your system will take longer that normal to restart as the fixtool will be running and removing files. * When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. * Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply. report follows later QUOTE If you have previously downloaded ComboFix,please delete that version now. Warning You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert,not for private use. Using this tool incorrectly could render your system/pc inoperable. Now download Combofix by sUBs and save to your desktop: Note It is important that it is saved directly to your desktop UNABLE TO DO THIS! After many malware complaints on connecting to internet, computer tells me that due to RPC crashing, it has to shut itself down use USB memory stick to transfer stuff for some reason, unable to copy combofix from mem stick - running from J: ! QUOTE Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Computer restarted at this point. Is that usual? Now Find3M running on autorestart - usual? QUOTE Post the entire contents of C:\ComboFix.txt into your next reply. Note log follows QUOTE Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask. Note In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again. Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them. Also post a new Hijackthis log please. All logs follow ... ================ SDFix: Version 1.125 Run by Compaq_Owner on Fri 11/01/2008 at 08:46 a.m. Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: smtpdrv Path: System32\DRIVERS\smtpdrv.sys smtpdrv - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\system32\*_exception.nls - Deleted C:\WINDOWS\system32\drivers\smtpdrv.sys - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-11 08:54:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe:*:Enabled:Compaq Connections" "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe" "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe" "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe:*:Enabled:Compaq Connections" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Fri 20 Jul 2007 213 A.SHR --- "C:\BOOT.BAK" Fri 6 Aug 2004 1,949,696 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\launcher.exe" Fri 6 Aug 2004 53,760 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\mnyinsta.dll" Sat 12 Jun 2004 94,208 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\RmvSuite.exe" Sat 3 Jul 2004 35,328 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\setuplng.dll" Sat 22 Nov 2003 20,480 A..HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\unregwtr.exe" Fri 9 Mar 2001 114,432 ...H. --- "C:\Program Files\Online Services\Xtra\UNINSTAL.EXE" Mon 24 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Tue 3 Jul 2007 333,032 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1d8773e3b9bba05290b442f31de09a2e\BIT18D.tmp" Tue 3 Jul 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\BIT18E.tmp" Tue 3 Jul 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cc8107fde988bba1481bb736cc96c29\BIT190.tmp" Tue 3 Jul 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3e61eb2bda5dda528a8686f8905497f\BIT191.tmp" Tue 3 Jul 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ee52836d5c671146809a1dc54498be1f\BIT192.tmp" Tue 3 Jul 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\BIT18F.tmp" Finished! ================== ComboFix 08-01-09.2 - Compaq_Owner 2008-01-11 9:27:30.1 - NTFSx86 Running from: J:\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Starware337 C:\Documents and Settings\All Users\Application Data\Starware337\buttons\723_button_1b_def.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\723_button_1b_over.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\726_button_1b_def.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Dating0.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\FindIt.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\FindItHot.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\findithotxp.png C:\Documents and Settings\All Users\Application Data\Starware337\buttons\finditxp.png C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Free_Credit_Score0.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\logo.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\logoxp.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Reference.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\ReferenceHot.bmp C:\Documents and Settings\All Users\Application Data\Starware337\buttons\referencehotxp.png C:\Documents and Settings\All Users\Application Data\Starware337\buttons\referencexp.png C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Ringtones0.bmp C:\Documents and Settings\All Users\Application Data\Starware337\contexts\error.xml C:\Documents and Settings\All Users\Application Data\Starware337\contexts\Related.xml C:\Documents and Settings\All Users\Application Data\Starware337\contexts\Travel.xml C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\ProductMessagingConfig.xml C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\ProductMessagingConfig.xml.backup C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\SimpleUpdateConfig.xml C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\SimpleUpdateConfig.xml.backup C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\TimerManagerConfig.xml C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\TimerManagerConfig.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\GCACRM7V\iforex.com C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\GCACRM7V\iforex.com\Emerp\Events\flash_object.swf\user_data.sol C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol C:\Documents and Settings\Compaq_Owner\Application Data\Starware337 C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\BrowserSearch\BrowserSearch.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\BrowserSearch\BrowserSearch.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Configurator\Configurator.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Configurator\Configurator.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Dating\DatingOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Dating\DatingOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Free_Credit_Score\Free_Credit_ScoreOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Free_Credit_Score\Free_Credit_ScoreOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Layouts\ToolbarLayout.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Layouts\ToolbarLayout.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Manager\ManagerOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Manager\ManagerOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Recipe_RSS\Recipe_RSSOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Recipe_RSS\Recipe_RSSOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Reference\ReferenceOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Reference\ReferenceOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Ringtones\RingtonesOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Ringtones\RingtonesOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Search_Recipes\Search_RecipesOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Search_Recipes\Search_RecipesOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Toolbar\TBProductsOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\Toolbar\TBProductsOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml.backup C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml C:\Documents and Settings\Compaq_Owner\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml.backup C:\WINDOWS\system32\drivers\Ltb86.sys C:\WINDOWS\system32\drivers\Lve87.sys C:\WINDOWS\system32\drivers\smtpdrv.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_LTB86 -------\LEGACY_LVE87 -------\LEGACY_SMTPDRV -------\Ltb86 -------\Lve87 -------\smtpdrv ((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 ))))))))))))))))))))))))))))))) . 2008-01-11 09:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-02 00:16 . 2008-01-02 00:16 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-01 17:49 . 2008-01-01 18:43 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-01 16:00 . 2008-01-01 16:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-01 16:00 . 2008-01-01 16:00 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-01 16:00 . 2008-01-01 16:00 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-01 16:00 . 2008-01-01 16:00 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-12-31 21:35 . 2007-12-31 21:35 1,158 --a------ C:\WINDOWS\mozver.dat 2007-12-31 21:30 . 2008-01-01 12:46 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\.housecall6.6 2007-12-31 15:08 . 2007-12-31 15:08 <DIR> d-------- C:\Program Files\NETGATE 2007-12-31 15:08 . 2007-12-31 15:10 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Spy Emergency 2007-12-31 15:08 . 2007-12-31 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NETGATE 2007-12-31 15:08 . 2007-09-24 09:47 14,392 --a------ C:\WINDOWS\system32\drivers\spyemrg_guard.sys 2007-12-31 15:08 . 2007-09-24 09:47 12,344 --a------ C:\WINDOWS\system32\drivers\spyemrg.sys 2007-12-31 13:46 . 2007-12-31 13:46 <DIR> d-------- C:\WINDOWS\ERUNT 2007-12-31 13:24 . 2007-12-31 13:24 3,632 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-29 22:47 . 2007-12-29 22:48 <DIR> d-------- C:\Security Task Manager 2007-12-29 11:47 . 2007-12-28 21:32 0 -ra------ C:\WINDOWS\system32\drivers\smtpdrv dummy.sys 2007-12-29 09:52 . 2007-12-29 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan 2007-12-29 09:51 . 2007-12-29 09:51 <DIR> d-------- C:\Program Files\Security Task Manager 2007-12-28 20:16 . 2007-12-28 21:37 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-12-28 16:52 . 2007-12-28 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-28 15:49 . 2007-12-28 15:49 <DIR> d-------- C:\Program Files\Lavasoft 2007-12-28 13:39 . 2007-12-31 21:30 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-12-28 13:31 . 2007-12-31 21:28 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\HouseCall 6.6 2007-12-28 10:16 . 2007-01-19 01:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-12-25 06:02 . 2007-12-25 06:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2007-12-24 17:20 . 2007-12-26 14:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2007-12-24 17:19 . 2005-12-14 22:27 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2007-12-24 17:19 . 2005-12-14 22:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2007-12-24 16:17 . 2008-01-11 09:34 3,907,616 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-24 16:17 . 2008-01-11 09:32 46,844 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-24 16:15 . 2007-12-24 16:15 <DIR> d-------- C:\Program Files\ZoneAlarmSB 2007-12-24 16:14 . 2007-12-24 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2007-12-24 16:14 . 2007-12-24 16:15 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-12-24 16:12 . 2008-01-11 09:04 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-12-24 15:40 . 2007-12-24 15:40 <DIR> d-------- C:\Program Files\MSBuild 2007-12-24 15:36 . 2007-12-24 15:36 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2007-12-24 15:36 . 2007-12-24 15:36 <DIR> d-------- C:\Program Files\Reference Assemblies 2007-12-24 15:34 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-12-24 15:33 . 2007-12-24 15:33 <DIR> d-------- C:\Program Files\MSXML 6.0 2007-12-24 15:32 . 2007-12-24 15:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2 2007-12-24 15:29 . 2007-12-24 15:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-12-24 15:29 . 2007-12-24 15:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-12-24 15:12 . 2006-11-13 19:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2007-12-24 15:12 . 2006-11-13 19:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2007-12-24 15:12 . 2006-11-13 19:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2007-12-24 14:52 . 2007-10-11 12:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-12-24 14:52 . 2007-07-01 16:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2007-12-24 14:52 . 2007-07-01 16:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2007-12-24 14:52 . 2007-10-11 12:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-12-24 14:52 . 2007-10-11 12:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-12-24 14:52 . 2007-10-11 12:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-12-24 14:52 . 2007-10-11 12:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll 2007-12-24 14:52 . 2007-10-11 12:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-12-24 14:52 . 2007-10-10 23:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-12-24 14:46 . 2007-12-24 14:46 <DIR> d-------- C:\Program Files\MSXML 4.0 2007-12-24 14:43 . 2007-12-24 14:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-12-24 13:36 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-12-24 13:36 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2007-12-24 13:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2007-12-24 13:11 . 2008-01-01 16:45 <DIR> d-------- C:\Program Files\Windows Defender 2007-12-24 12:54 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2007-12-24 12:54 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys 2007-12-24 12:54 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-12-24 12:54 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys 2007-12-19 20:11 . 2007-12-21 16:18 21,760 --a------ C:\WINDOWS\Lve87.sys 2007-12-19 19:59 . 2007-12-19 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-19 19:57 . 2007-12-19 19:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-17 21:52 . 2007-12-17 21:52 12,219,983 --------- C:\AVG7QT.DAT 2007-12-17 21:50 . 2007-12-17 21:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-12-17 21:50 . 2008-01-11 08:26 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVG7 2007-12-17 21:50 . 2007-12-29 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-12-17 21:35 . 2007-12-17 21:35 0 --a------ C:\WINDOWS\nsreg.dat 2007-12-17 21:33 . 2007-12-31 13:21 <DIR> d-------- C:\Download 2007-12-17 21:28 . 2007-12-17 21:28 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Grisoft 2007-12-17 21:28 . 2007-12-17 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-17 21:28 . 2007-05-31 01:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-01 03:35 --------- d-----w C:\Program Files\Google 2008-01-01 03:31 --------- d---a-w C:\Program Files\Common Files\LightScribe 2007-12-17 08:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-12-17 08:10 --------- d-----w C:\Program Files\Symantec 2007-12-17 08:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-12-05 08:46 9,824 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat 2007-11-30 05:03 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM 2007-11-30 00:29 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-14 03:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-24 21:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}] 2007-12-24 16:15 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {2318C2B1-4965-11D4-9B18-009027A5CD4F} {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-24 16:15 262144] [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 01:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 20:55 68856] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 12:24 1694208] "SpyEmergency"="C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergency.exe" [2007-12-06 08:35 2046520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PCDrProfiler"="" [] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 22:25 6731312] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-24 12:53 579072] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-03 04:30 7110656] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 12:18 49152] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 00:00 455168] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 00:00 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 00:00 455168] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 00:00 59392] "nwiz"="nwiz.exe" [2005-08-03 04:30 1519616 C:\WINDOWS\system32\nwiz.exe] "SetDefaultPrinter"="c:\hp\bin\cloaker.exe" [1999-11-07 20:11 27136] "KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-14 22:07 180269] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-22 06:41 1605740] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-12-24 12:53 219136] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ltb86.sys] @="Driver" . Contents of the 'Scheduled Tasks' folder "2007-12-26 00:52:44 C:\WINDOWS\Tasks\Easy Internet Sign-up.job" - C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml "2008-01-10 19:55:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-01-10 19:57:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDetect.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-11 09:35:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-11 9:38:24 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-10 20:38:19 . 2007-12-28 08:21:20 --- E O F --- ============== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:46:34 a.m., on 11/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\ALCXMNTR.EXE c:\windows\system\hpsysdrv.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe C:\WINDOWS\system32\verclsid.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woosh.com/ContentClient/Home/Home.aspx R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/rdrmessage_CPDFO4_ENU O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [SetDefaultPrinter] c:\hp\bin\cloaker.exe c:\windows\system32\cmd.exe /c c:\hp\bin\defaultprinter\SetDefaultPrinter.cmd O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergency.exe" O4 - HKUS\S-1-5-21-4237704166-2739054237-2373788111-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-4237704166-2739054237-2373788111-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?') O4 - HKUS\S-1-5-21-4237704166-2739054237-2373788111-1007\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User '?') O4 - HKUS\S-1-5-21-4237704166-2739054237-2373788111-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?') O4 - HKUS\S-1-5-21-4237704166-2739054237-2373788111-1007\..\Run: [SpyEmergency] "C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergency.exe" (User '?') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198455904937 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198456523515 O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Spy Emergency Shield Service (SpyEmrgSrv) - NETGATE Technologies s.r.o. - C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergencySrv.exe O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing) O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing) -- End of file - 15539 bytes |
|
|
|
|
Jan 10 2008, 05:01 PM
Post
#6
|
|
|
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975 |
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Sun Java,and then update. 1. Download the latest version of Java Runtime Environment (JRE) 2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'. 3. Click the "Download" button to the right. 4. Check the box that says: "Accept License Agreement". 5. The page will refresh. 6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop. 7. Close any programs you may have running - especially your web browser. 8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. 9. Check any item with Java Runtime Environment (JRE or J2SE) in the name. 10. Click the Change/Remove button. 11. Repeat as many times as necessary to remove each Java version. 12. Reboot your computer once all Java components are removed. 13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version. Download ATF Cleaner by Atribune: http://www.atribune.org/ccount/click.php?id=1 Do not run it just yet. Download\install 'SuperAntiSpyware Home Edition Free Version' from here: http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE Launch SuperAntiSpyware and click on 'Check for updates'. Once the updates have been installed,exit SuperAntiSpyware. Do not run it just yet. Now double-click ATF-Cleaner.exe to run the program. Click 'Select All' found at the bottom of the list. Click the 'Empty Selected' button. If you use Firefox browser, do this also: Click Firefox at the top and choose 'Select All' from the list. Click the 'Empty Selected' button. NOTE: If you would like to keep your saved passwords,please click 'No' at the prompt. If you use Opera browser,do this also: Click Opera at the top and choose 'Select All' from the list. Click the 'Empty Selected' button. NOTE: If you would like to keep your saved passwords,please click 'No' at the prompt. Click 'Exit' on the Main menu to close the program. Now Start SuperAntiSpyware. On the main screen click on 'Scan your computer'. Check: 'Perform Complete Scan'. Click 'Next' to start the scan. Superantispyware will now scan your computer,when it's finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press 'Next'. Click on 'Finish' when you've done. It's possible that the program will ask you to reboot in order to delete some files. Obtain the SuperAntiSpyware log as follows: Click on 'Preferences'. Click on the 'Statistics/Logs' tab. Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'. It will then open in your default text editor,such as Notepad. Copy and paste the contents of that report into your next reply. Run this online virus/spyware scan using Internet Explorer: Kaspersky WebScanner Next click Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. • The program will launch and then begin downloading the latest definition files: • Once the files have been downloaded click on NEXT • Now click on Scan Settings • In the scan settings make that the following are selected: • Scan using the following Anti-Virus database: • Standard • Scan Options: • Scan Archives • Scan Mail Bases • Click OK • Now under select a target to scan: • Select My Computer • This will start the program and scan your system. • The scan will take a while so be patient and let it run. • Once the scan is complete it will display if your system has been infected. • Now click on the Save as Text button: • Save the file to your desktop. • Copy and paste the contents of that file into your next reply. If the above link doesn't work,try this: http://www.kaspersky.com/kos/english/kavwebscan.html Also post a new Hijackthis log,let me know how your pc is running now. -------------------- If I have helped you in any way, please consider a donation:
Proud Member of ASAP (Alliance of Security Analysis Professionals). Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators). |
|
|
|
|
Jan 10 2008, 06:26 PM
Post
#7
|
|
|
New Member Group: Members Posts: 11 Joined: 30-December 07 Member No.: 180,026 |
We now have an unmodifiable system - unable to install or uninstall anything.
See embedded comments I await further instructions QUOTE(RichieUK @ Jan 11 2008, 11:01 AM) Your version of Sun Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Sun Java,and then update. 1. Download the latest version of Java Runtime Environment (JRE) 2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'. 3. Click the "Download" button to the right. 4. Check the box that says: "Accept License Agreement". 5. The page will refresh. 6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop. Yes (well, copied to CD on another computer) Also 'Paste' doesn't work - even in Safe mode QUOTE 7. Close any programs you may have running - especially your web browser. 8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. 9. Check any item with Java Runtime Environment (JRE or J2SE) in the name. 10. Click the Change/Remove button. We have a problem - a pop up says ==== Add or Remove Programs ---- The Windows Installer Service could not be accessed. This can occur if you are running in safe mode [I'm not], or if the Windows Installer is not correctly installed. Contact your support personnel for assistance. ==== Up until this point, I have been able to install stuff. Is there something that's been done to stuff up Windows Installer? BTW at startup there is popup grumbling that Windows Defender doesn't start properly. QUOTE 11. Repeat as many times as necessary to remove each Java version. 12. Reboot your computer once all Java components are removed. 13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version. We have a problem - although previous versions not installed, I tried it anyway A pop up says ==== Add or Remove Programs ---- The Windows Installer Service could not be accessed. This can occur if you are running in safe mode [I'm not], or if the Windows Installer is not correctly installed. Contact your support personnel for assistance. ==== QUOTE Download ATF Cleaner by Atribune: http://www.atribune.org/ccount/click.php?id=1 Do not run it just yet. Download\install 'SuperAntiSpyware Home Edition Free Version' from here: http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE Launch SuperAntiSpyware and click on 'Check for updates'. We have a problem A pop up says ==== Add or Remove Programs ---- The Windows Installer Service could not be accessed. This can occur if you are running in safe mode [I'm not], or if the Windows Installer is not correctly installed. Contact your support personnel for assistance. ==== ****************************************** * Giving up at this point until received further advice ****************************************** QUOTE Once the updates have been installed,exit SuperAntiSpyware. Do not run it just yet. Now double-click ATF-Cleaner.exe to run the program. Click 'Select All' found at the bottom of the list. Click the 'Empty Selected' button. If you use Firefox browser, do this also: Click Firefox at the top and choose 'Select All' from the list. Click the 'Empty Selected' button. NOTE: If you would like to keep your saved passwords,please click 'No' at the prompt. If you use Opera browser,do this also: Click Opera at the top and choose 'Select All' from the list. Click the 'Empty Selected' button. NOTE: If you would like to keep your saved passwords,please click 'No' at the prompt. Click 'Exit' on the Main menu to close the program. Now Start SuperAntiSpyware. On the main screen click on 'Scan your computer'. Check: 'Perform Complete Scan'. Click 'Next' to start the scan. Superantispyware will now scan your computer,when it's finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press 'Next'. Click on 'Finish' when you've done. It's possible that the program will ask you to reboot in order to delete some files. Obtain the SuperAntiSpyware log as follows: Click on 'Preferences'. Click on the 'Statistics/Logs' tab. Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'. It will then open in your default text editor,such as Notepad. Copy and paste the contents of that report into your next reply. Run this online virus/spyware scan using Internet Explorer: Kaspersky WebScanner Next click Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. • The program will launch and then begin downloading the latest definition files: • Once the files have been downloaded click on NEXT • Now click on Scan Settings • In the scan settings make that the following are selected: • Scan using the following Anti-Virus database: • Standard • Scan Options: • Scan Archives • Scan Mail Bases • Click OK • Now under select a target to scan: • Select My Computer • This will start the program and scan your system. • The scan will take a while so be patient and let it run. • Once the scan is complete it will display if your system has been infected. • Now click on the Save as Text button: • Save the file to your desktop. • Copy and paste the contents of that file into your next reply. If the above link doesn't work,try this: http://www.kaspersky.com/kos/english/kavwebscan.html Also post a new Hijackthis log,let me know how your pc is running now. |
|
|
|
|
Jan 10 2008, 06:57 PM
Post
#8
|
|
|
New Member Group: Members Posts: 11 Joined: 30-December 07 Member No.: 180,026 |
*SOMETHING* is going through the C: drive deleting files!
Every second there's a 'thrummm - tick' sound, and the free space on C: is slowly increasing I have a feeling that the malware knows that something is up since those changes, and is systematically destroying this computer TaskMgr also has exactly the same number of Page Faults Delta each time it display statistics - around 1500. |
|
|
|
|
Jan 10 2008, 07:00 PM
Post
#9
|
|
|
New Member Group: Members Posts: 11 Joined: 30-December 07 Member No.: 180,026 |
Forgot to mention
- IE won't start at all - displays absolutely nothing, - FireFox starts but can't find a network - No Network (or icons), - no 'Quick Start' icons, - Defender won't start (some message about dependent service not starting) |
|
|
|
|
Jan 10 2008, 08:57 PM
Post
#10
|
|
|
New Member Group: Members Posts: 11 Joined: 30-December 07 Member No.: 180,026 |
Time is running out on this one.
It's been nearly 2 hours since I mentioned massive problems arising after last changes. If I knew that this would happen, I would have delayed it until after the weekend, because soon I'll have to resort to a re-install as my friend says that he needs it back to do work with it (he's been without it since before Christmas). Please can anyone actively working on this reply ASAP. |
|
|
|
|
Jan 11 2008, 04:55 AM
Post
#11
|
|
|
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975 |
QUOTE It's been nearly 2 hours since I mentioned massive problems arising after last changes. I do have to sleep now and then,i live in the UK  Let me know wether you decided to reinstall XP or not,let me know whats happening please. -------------------- If I have helped you in any way, please consider a donation:
Proud Member of ASAP (Alliance of Security Analysis Professionals). Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators). |
|
|
|
|
Jan 11 2008, 04:55 AM
Post
#12
|
|
|
New Member Group: Members Posts: 11 Joined: 30-December 07 Member No.: 180,026 |
Sorry - I'm pulling the plug on this one.
Going to back up the data and do a Windows Reinstall. Mind you, at least I'll put heaps of AV/AS protection on it before handing it back! |
|
|
|
|
Jan 11 2008, 04:56 AM
Post
#13
|
|
|
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975 |
Ok,thanks for the update.
This thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- If I have helped you in any way, please consider a donation:
Proud Member of ASAP (Alliance of Security Analysis Professionals). Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators). |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 4th July 2009 - 08:40 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.