BleepingComputer.com: Hijack, Combofix, And Ccleaner Log To Review

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Hijack, Combofix, And Ccleaner Log To Review Hoping my computer is Malware, Virus Free...

#1 User is offline   infamouscaption 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 21-August 08

Posted 21 August 2008 - 02:12 PM

Hello,

Just want to add that is a wonderful site... if it wasn't for this place, I'd probably was just going to reformat my hard drive.

So a roommate of mine decided to look for a keygen for a nvidia program and ended up installing some sort of virus that had the following symptoms as this member:

http://www.bleepingcomputer.com/forums/topic162553.html

Quote

1. Computer time has changed to Military Time and "VIRUS ALERT!" shows up next to the time.
2. In the start tab I cannot see the program files fly out, control panel, run tab, ect.
3. On my computer I cannot see my C:/ drive.
4. Various spyware and virus alerts popping up all the time.
5. Computer trys to access various web pages automatically
6. Desktop picture changed to red screen with text "Your Privacy is in Danger - Download privacy protection software now"
7. New icons installed on desktop for "privacy protector" , "error cleaner" and "spyware and malware protection"
8. When doing an cntl-alt-delete it says this has been disabled by the administrator



So I continued reading the thread, and followed Simon's instructions and I'm hoping everything is back to normal. Can anyone let me know if there's more I have to do?

Here's the following logs from ComboFix, Hijack, CCleaner Uninstall List:


ComboFix 08-08-19.06 - Erljames 2008-08-21 13:49:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069 [GMT -4:00]
Running from: C:\Documents and Settings\Erljames\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Erljames\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\vav.cpl

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-21 13:34 . 2008-08-21 13:34 <DIR> d-------- C:\Program Files\CCleaner
2008-08-21 12:04 . 2008-08-21 12:05 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-21 11:45 . 2008-08-21 11:45 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-21 01:43 . 2008-08-21 01:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-21 01:42 . 2008-08-21 01:43 <DIR> d-------- C:\Documents and Settings\Erljames\.housecall6.6
2008-08-20 20:38 . 2008-08-20 20:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 20:25 . 2008-08-20 20:25 1,812 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-20 20:24 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-20 20:24 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-20 20:24 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-20 20:24 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-20 20:24 . 2008-08-14 21:52 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-20 20:24 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-20 20:24 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-20 20:24 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-20 20:24 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-20 20:06 . 2008-08-20 20:06 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-20 19:34 . 2008-08-20 19:34 <DIR> d-------- C:\Program Files\Sonic
2008-08-20 19:34 . 2008-08-20 19:34 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-08-20 19:34 . 2008-08-20 19:34 59 --a------ C:\WINDOWS\WININIT.INI
2008-08-20 19:06 . 2008-08-20 19:06 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-08-20 19:06 . 2008-08-20 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-08-20 19:06 . 2004-10-11 11:28 671,744 --a------ C:\WINDOWS\system32\DolbyHph.dll
2008-08-20 19:06 . 2004-11-12 16:01 60,416 --a------ C:\WINDOWS\system32\DSETUP.dll
2008-08-20 19:06 . 2004-12-13 09:44 14,848 --a------ C:\WINDOWS\system32\drivers\nvndis.sys
2008-08-20 19:06 . 2004-10-11 11:28 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-08-20 18:20 . 2008-08-20 18:20 <DIR> d-------- C:\Program Files\VideoLAN
2008-08-20 18:20 . 2008-08-20 18:20 <DIR> d-------- C:\Documents and Settings\Erljames\Application Data\vlc
2008-08-20 18:11 . 2008-08-20 18:11 <DIR> d-------- C:\divx
2008-08-20 17:57 . 2008-08-20 17:57 <DIR> d-------- C:\WINDOWS\Sun
2008-08-20 17:49 . 2007-09-17 08:07 135,089 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-08-20 17:42 . 2008-08-20 17:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-20 17:13 . 2008-08-20 17:13 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-20 17:13 . 2008-08-20 17:13 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-20 17:13 . 2008-08-20 17:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-20 17:13 . 2008-08-20 17:13 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-20 17:11 . 2008-08-20 17:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-20 16:42 . 2008-08-20 16:42 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-20 16:34 . 2008-08-20 16:34 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-20 16:31 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-20 16:24 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-20 15:54 . 2008-08-20 19:17 <DIR> d-------- C:\Documents and Settings\Erljames\Application Data\Yahoo!
2008-08-20 15:54 . 2008-06-13 07:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-20 15:54 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-20 15:53 . 2008-06-23 12:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-20 15:53 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-20 15:53 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-20 15:53 . 2008-06-23 12:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-20 15:53 . 2008-06-23 12:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-20 15:53 . 2008-06-23 12:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-20 15:53 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-20 15:53 . 2008-06-23 12:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-20 15:53 . 2008-06-23 12:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-20 15:53 . 2008-06-23 05:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-20 15:52 . 2008-08-20 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-20 15:52 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-20 15:51 . 2008-08-20 16:00 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-20 15:49 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-20 15:49 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-20 15:49 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-25 04:36 . 2008-07-25 04:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-07-25 04:36 . 2008-07-25 04:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-23 17:40 . 2008-07-23 17:40 0 --a------ C:\WINDOWS\OpPrintServer.INI
2008-07-23 17:30 . 2008-07-23 17:42 <DIR> d-------- C:\Program Files\Canon
2008-07-23 12:50 . 2008-07-23 12:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 12:48 . 2008-07-23 12:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 12:48 . 2008-07-23 12:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 12:47 . 2008-07-23 12:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 12:47 . 2008-07-23 12:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 12:46 . 2008-07-23 12:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 16:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-21 02:24 --------- d-----w C:\Documents and Settings\Erljames\Application Data\U3
2008-08-21 01:15 --------- d-----w C:\Program Files\Lavasoft
2008-08-21 01:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 01:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-20 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-20 22:29 --------- d-----w C:\Program Files\Winamp
2008-08-20 22:02 --------- d-----w C:\Program Files\DivX
2008-08-20 21:42 --------- d-----w C:\Program Files\Common Files\Real
2008-08-20 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-09-28 19:00 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 08:07 8491008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-06-15 01:40 124656]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-20 17:42 185896]
"CTHelper"="CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\UB-VPN\vpngui.exe [2007-08-27 14:40:17 1528880]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2006-07-25 02:01:00 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Erljames^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Erljames\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-20 17:42 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R0 Si3124;Si3124;C:\WINDOWS\system32\drivers\Si3124.sys [2007-08-09 11:32]
R0 Si3531;Si3531;C:\WINDOWS\system32\drivers\Si3531.sys [2007-08-09 11:32]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 08:36]

*Newly Created Service* - CATCHME
*Newly Created Service* - DMADMIN
*Newly Created Service* - NTMSSVC
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{48776EE4-6AEA-4121-A341-559129C4A0DE} - C:\WINDOWS\twmxbsqrobw.dll
BHO-{F73DBD9E-5F1B-4BCA-8604-A911DCE08B37} - C:\WINDOWS\system32\fayo.dll
Toolbar-{C091867D-17C0-4855-B6E5-797649ED7A9A} - C:\WINDOWS\rafbsvnx.dll
HKCU-Run-\SUE23.exe - C:\Windows\SUE23.exe
HKCU-Run-\SUE24.exe - C:\Windows\SUE24.exe
HKCU-Run-\SUE25.exe - C:\Windows\SUE25.exe
HKCU-Run-\SUE26.exe - C:\Windows\SUE26.exe
HKCU-Run-\SUE27.exe - C:\Windows\SUE27.exe
HKLM-Run-\SUE23.exe - C:\Windows\SUE23.exe
HKLM-Run-\SUE24.exe - C:\Windows\SUE24.exe
HKLM-Run-\SUE25.exe - C:\Windows\SUE25.exe
HKLM-Run-\SUE26.exe - C:\Windows\SUE26.exe
HKLM-Run-\SUE27.exe - C:\Windows\SUE27.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Erljames\Application Data\Mozilla\Firefox\Profiles\709gmimy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - myub.buffalo.edu
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 13:55:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\SUE23.exe"="C:\\Windows\\SUE23.exe"
"\\SUE24.exe"="C:\\Windows\\SUE24.exe"
"\\SUE25.exe"="C:\\Windows\\SUE25.exe"
"\\SUE26.exe"="C:\\Windows\\SUE26.exe"
"\\SUE27.exe"="C:\\Windows\\SUE27.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\SUE23.exe"="C:\\Windows\\SUE23.exe"
"\\SUE24.exe"="C:\\Windows\\SUE24.exe"
"\\SUE25.exe"="C:\\Windows\\SUE25.exe"
"\\SUE26.exe"="C:\\Windows\\SUE26.exe"
"\\SUE27.exe"="C:\\Windows\\SUE27.exe"
.
Completion time: 2008-08-21 14:04:49
ComboFix-quarantined-files.txt 2008-08-21 18:04:19

Pre-Run: 178,156,179,456 bytes free
Post-Run: 178,365,579,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

234 --- E O F --- 2008-08-20 21:25:07

This post has been edited by infamouscaption: 21 August 2008 - 02:16 PM

#2 User is offline   infamouscaption 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 21-August 08

Posted 21 August 2008 - 02:13 PM

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:7PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\UB-VPN\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188316236468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1219265534562
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 7951 bytes


CCleaner Uninstall Log:



Ad-Aware
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CCleaner (remove only)
Civilization III Complete Edition
Conexant D850 56K V.9x DFVc Modem
Creative Audio Console
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Final Draft 7
FLV Player 1.3.3
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Intel® PRO Network Connections Drivers
iTunes
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1
Kodak EasyShare software
LiveUpdate 3.0 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Enterprise 2007
Microsoft Windows Journal Viewer
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (2.0.0.16)
Mozilla Thunderbird (2.0.0.5)
MSXML 4.0 SP2 (KB936181)
NVIDIA Drivers
NVIDIA DVD Decoder
PuTTY version 0.57
QuickTime
RealPlayer
Rhapsody Player Engine
Sonic CinePlayer DVD Pack
Speech
Symantec Client Security
VideoLAN VLC media player 0.8.6h
VPN Client
Winamp (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
XviD MPEG-4 Video Codec
Yahoo! Messenger

#3 User is offline   Shaba 

  • Koutsi
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 7,310
  • Joined: 08-July 06
  • Gender:Male
  • Location:Finland

Posted 07 September 2008 - 05:21 AM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please see here for instructions
how to install HijackThis and make a logfile. Save it into convenient location and include it to your next reply, please.

Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please post back with HijackThis log and Kaspersky report.

Regards
Microsoft MVP Consumer Security
Posted Image

Posted Image

#4 User is offline   Shaba 

  • Koutsi
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 7,310
  • Joined: 08-July 06
  • Gender:Male
  • Location:Finland

Posted 13 September 2008 - 05:33 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users