Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm Infection?


  • This topic is locked This topic is locked
4 replies to this topic

#1 Clue1ess

Clue1ess

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:02:55 PM

Posted 23 July 2007 - 07:23 PM

Hi, i recently opened a .exe which attempted to add four entry's of "Microsoft Update Machine" in startup, I blocked them with Spy Sweeper sheild. Setup.exe also acted as a server. I restarted my computer, cleaned my temp files and did a full system scan with Kaspersky Anti-Virus Personal 5.0 and Spy Sweeper which both found nothing. I dont know anything about worms so im worried its still on my system.

Logfile of HijackThis v1.99.1
Scan saved at 01:11:22, on 24/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! UK & Ireland
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] "C:\WINDOWS\system32\JMRaidSetup.exe" boot
O4 - HKLM\..\Run: [workflow] D:\installs\workflow.exe
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DeathAdder] "C:\Program Files\Razer\DeathAdder\razerhid.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1182543556625
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Uninstall List
---
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
Azureus Vuze
Blaze Media Pro
BroadJump Client Foundation
CCleaner (remove only)
ConvertXtoDVD 2.2.3.258
DeathAdder™ Mouse
FEARCombat
FireTune
Fraps (remove only)
Gigabyte Raid Configurer
High Definition Audio Driver Package - KB888111
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Java™ SE Runtime Environment 6 Update 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.4)
Mozilla Firefox (2.0.0.5)
NVIDIA Drivers
Q3E Minimizer v1.51
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB939373)
SmartFTP Client
Steam
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
VideoLAN VLC media player 0.8.6c
VSO CopyToDVD 4
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Wolfenstein - Enemy Territory
Xfire (remove only)
ZoneAlarm Security Suite

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:55 AM

Posted 27 July 2007 - 10:26 PM

Hello Clue1ess,

full system scan with Kaspersky Anti-Virus Personal 5.0


I dont see Kaspersky Anti-Virus Personal 5.0 installed and running on your computer or in your installed program. :thumbsup: Did you uninstall it or disable it?

This is somewhat suicidal in today's digital world.

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
    Java SE Runtime Environment 6 Update 1

    also uninstall Mozilla Firefox (2.0.0.4)
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


*******************************************

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\ALCMTR.EXE

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.

NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to the Desktop.
Note: It is important you download it to the Desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Clue1ess

Clue1ess
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:02:55 PM

Posted 02 August 2007 - 05:19 PM

Hi, sorry i didn't reply sooner, I've just got back from a camping trip.

A one month licence key for Kaspersky AV 5.0 was included with my motherboard, that expired before i created the HJT logs. I now use the latest version of ZoneAlarm INTERNET SECURITY SUITE (registered). It uses the kaspersky Anti-virus 6 engine and updates.

I've completed all your instructions, here's the logs you asked for.


1) I did a full system scan with ZoneAlarm security suite's anti-virus and anti-spyware, they found 0 active items.


2)Updated Java


3)Successfully fixed the three HJT entry's


4)OTMoveIt Results

C:\WINDOWS\ALCMTR.EXE moved successfully.

Created on 08/02/2007 22:19:04


5)Cleaned temp files


6)ComboFix Results

ComboFix 07-07-30.2 - "Administrator" 2007-08-02 22:27:14.1 [GMT 1:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point

ADS removed - svchost.exe: deleted 68 bytes in 1 streams.
ADS removed - ntoskrnl.exe: deleted 228 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\Desktop.\internet explorer.lnk
C:\WINDOWS\OPTIONS\CABS\_desktop.ini
C:\WINDOWS\system32\setup.exe.tmp


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-02 22:26 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 20:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MailFrontier
2007-08-02 20:14 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-02 20:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-02 20:14 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-02 20:14 186,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-02 20:14 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-08-02 20:14 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-02 20:14 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-01 18:28 <DIR> d-------- C:\Program Files\Webroot
2007-08-01 18:28 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-08-01 18:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-08-01 18:27 57,344 --a------ C:\WINDOWS\Unwash6.exe
2007-08-01 18:27 486,400 --a------ C:\WINDOWS\system32\wwSecure.exe
2007-08-01 14:26 <DIR> d-------- C:\Program Files\Warsow
2007-07-31 16:13 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-23 18:00 512 --a------ C:\ScanSectorLog.dat
2007-07-22 23:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-22 22:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc
2007-07-22 22:04 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-22 21:46 <DIR> d-------- C:\Program Files\Blaze Media Pro
2007-07-22 21:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-07-22 21:41 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-22 21:40 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-22 20:03 <DIR> d-------- C:\Fraps
2007-07-22 19:18 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-18 16:33 22,144 --a------ C:\WINDOWS\system32\drivers\dadder.sys
2007-07-18 16:33 162,900 --------- C:\WINDOWS\system32\drivers\USBICP.sys
2007-07-18 16:33 <DIR> d-------- C:\Program Files\Razer
2007-07-12 08:06 81,920 --a------ C:\WINDOWS\system32\frapsvid.dll
2007-07-11 22:14 <DIR> d-------- C:\Program Files\Wolfenstein - Enemy Territory
2007-07-09 22:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-09 21:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-07-05 22:35 164 --a------ C:\install.dat
2007-07-03 18:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vsosdk
2007-07-03 17:44 87,608 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\inst.exe
2007-07-03 17:44 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-07-03 17:44 47,360 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\pcouffin.sys
2007-07-03 17:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Vso
2007-07-03 17:43 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2007-07-03 17:43 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2007-07-03 17:43 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2007-07-03 17:43 <DIR> d-------- C:\Program Files\VSO
2007-07-03 17:43 <DIR> d-------- C:\Program Files\Common Files\Download Manager


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 21:25 3752 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-02 20:14 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-02 19:59 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Xfire
2007-08-02 19:48 --------- d---s---- C:\Program Files\Xfire
2007-08-02 14:41 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Azureus
2007-07-29 01:03 1428 --a------ C:\WINDOWS\mozver.dat
2007-07-25 03:31 --------- d-------- C:\Program Files\ntl
2007-07-22 20:13 --------- d-------- C:\Program Files\Common Files\Ahead
2007-07-22 19:19 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-18 16:32 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-15 17:27 --------- d-------- C:\Program Files\Steam
2007-07-11 16:23 --------- d-------- C:\Program Files\Common Files\LightScribe
2007-06-27 18:32 --------- d-------- C:\Program Files\SmartFTP Client
2007-06-27 18:32 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SmartFTP
2007-06-27 15:01 15600 --a------ C:\WINDOWS\gdrv.sys
2007-06-25 19:32 --------- d-------- C:\Program Files\Azureus
2007-06-22 20:57 --------- d-------- C:\Program Files\Messenger
2007-06-21 20:27 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-06-21 10:00 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-21 09:56 --------- d-------- C:\Program Files\Sierra
2007-06-21 05:32 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-21 01:55 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-06-21 01:35 --------- d-------- C:\Program Files\CCleaner
2007-06-21 01:26 --------- d-------- C:\Program Files\Q3E Minimizer v1.51
2007-06-20 23:47 --------- d-------- C:\Program Files\FireTune
2007-06-20 23:42 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-20 22:57 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-06-20 22:34 --------- d-------- C:\Program Files\Realtek
2007-06-20 22:31 --------- d-------- C:\Program Files\Common Files\Motive
2007-06-20 22:26 --------- d-------- C:\Program Files\BroadJump
2007-06-20 22:16 315392 --a------ C:\WINDOWS\HideWin.exe
2007-06-20 22:16 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-06-20 22:14 --------- d-------- C:\Program Files\Intel
2007-06-20 22:07 0 -rahs---- C:\MSDOS.SYS
2007-06-20 22:07 0 -rahs---- C:\IO.SYS
2007-06-20 22:07 0 --a------ C:\CONFIG.SYS
2007-06-20 22:07 0 --a------ C:\AUTOEXEC.BAT
2007-06-20 22:07 --------- d-------- C:\Program Files\microsoft frontpage
2007-06-20 22:05 --------- d-------- C:\Program Files\Movie Maker
2007-06-20 22:05 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-06-20 22:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-06-20 22:04 --------- d-------- C:\Program Files\Windows NT
2007-06-20 22:04 --------- d-------- C:\Program Files\Online Services
2007-06-20 22:04 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 07:49 C:\WINDOWS\RTHDCPL.exe]
"workflow"="D:\installs\workflow.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16]
"nwiz"="nwiz.exe" [2007-04-20 06:05 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RunDLL32.exe" [2006-02-28 13:00 C:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"DeathAdder"="C:\Program Files\Razer\DeathAdder\razerhid.exe" [2006-12-06 22:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-29 18:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"srePostpone"=rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R2 IISADMIN;IIS Admin;C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R3 DAdderFltr;DeathAdder Mouse;C:\WINDOWS\system32\drivers\dadder.sys
R3 pcouffin;VSO Software pcouffin;C:\WINDOWS\system32\Drivers\pcouffin.sys
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
S3 gdrv;gdrv;\??\C:\WINDOWS\gdrv.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 22:28:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 22:30:20
C:\ComboFix-quarantined-files.txt ... 2007-08-02 22:29

--- E O F ---


7)Fresh HJT log

Logfile of HijackThis v1.99.1
Scan saved at 23:06:34, on 02/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [workflow] D:\installs\workflow.exe
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DeathAdder] "C:\Program Files\Razer\DeathAdder\razerhid.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1182543556625
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
___
Uninstall list

Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
Azureus Vuze
Blaze Media Pro
BroadJump Client Foundation
CCleaner (remove only)
ConvertXtoDVD 2.2.3.258
DeathAdder™ Mouse
FEARCombat
Fraps (remove only)
Gigabyte Raid Configurer
High Definition Audio Driver Package - KB888111
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Java™ 6 Update 2
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.6)
NVIDIA Drivers
Q3E Minimizer v1.51
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB939373)
SmartFTP Client
Steam
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
VideoLAN VLC media player 0.8.6c
VSO CopyToDVD 4
Window Washer
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Wolfenstein - Enemy Territory
Xfire (remove only)
ZoneAlarm Security Suite

ComboFix deleted my desktop shortcut for Internet Explorer and created a new one.

Thx for the help

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:55 AM

Posted 02 August 2007 - 05:57 PM

Hello Clue1ess,

ComboFix deleted my desktop shortcut for Internet Explorer and created a new one.


C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk is not a valid shortcut

The original/legit IE shortcut is not an LNK file. Malware has been known to delete the original & replace it with a dupe which in actuality is a shortcut to a infected webpage which will load tons of malware onto the computer.

To restore the original IE shortcut, go to Control Panel > Display > Desktop >Customize Desktop
Under the General tab, ensure "Internet Explorer" is ticked & then click OK to exit


Your log looks clean! :thumbsup: Good job on the cleanup!

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 02 August 2007 - 05:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:55 AM

Posted 08 August 2007 - 09:22 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users