Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Systemdoctor2006


  • This topic is locked This topic is locked
6 replies to this topic

#1 compumoose

compumoose

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 26 July 2007 - 08:40 PM

Hi

I think I have been infected by system doctor 2006 I tried everything requested to remove the malware. Please let me know if there is anything else I need to do.

ty

compumoose

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:01 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185373965984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185397986218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 5242 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:01 PM

Posted 26 July 2007 - 11:22 PM

Hello compumoose,


NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 26 July 2007 - 11:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 compumoose

compumoose
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 27 July 2007 - 10:26 AM

Please find combofixlog and fresh hijack this log

thanx for your hrlp

compumoose

"Administrator" - 2007-07-27 11:13:54 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))


2007-07-27 10:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-26 20:47 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-07-26 19:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-26 19:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-26 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-26 19:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 18:18 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-07-26 10:25 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-25 17:07 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2007-07-25 17:05 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-07-25 17:05 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-07-25 17:02 <DIR> dr-h----- C:\MSOCache
2007-07-25 16:52 <DIR> d-------- C:\Program Files\PokerStars
2007-07-25 16:49 <DIR> d--hs---- C:\RECYCLER
2007-07-25 16:40 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-25 16:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-07-25 11:40 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-07-25 11:38 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-25 11:38 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-25 11:38 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-25 11:38 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-25 11:38 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-25 11:38 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-07-25 11:37 <DIR> d-------- C:\Program Files\McAfee.com
2007-07-25 11:37 <DIR> d-------- C:\Program Files\McAfee
2007-07-25 11:37 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-07-25 11:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-25 11:01 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-25 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-25 10:29 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-25 10:29 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-25 10:22 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-25 10:22 <DIR> d--hs---- C:\DOCUME~1\ADMINI~1\UserData
2007-07-25 10:22 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-25 10:20 654,508 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2007-07-25 10:20 46,592 --a------ C:\WINDOWS\SOUNDMAN.EXE
2007-07-25 10:20 208,896 --------- C:\WINDOWS\alcupd.exe
2007-07-25 10:20 135,168 --------- C:\WINDOWS\alcrmv.exe
2007-07-25 10:20 <DIR> d-------- C:\Program Files\AvRack
2007-07-25 10:20 <DIR> d-------- C:\Program Files\Avance Sound Manager
2007-07-25 10:18 151,552 --a------ C:\WINDOWS\system32\igfxres.dll
2007-07-25 10:15 91,678 --a------ C:\WINDOWS\system32\drivers\ialmsbw.sys
2007-07-25 10:15 86,073 --a------ C:\WINDOWS\system32\iAlmCoIn_0_v6.dll
2007-07-25 10:15 86,016 --a------ C:\WINDOWS\system32\igfxdo.dll
2007-07-25 10:15 81,979 --a------ C:\WINDOWS\system32\ialmrem.dll
2007-07-25 10:15 79,323 --a------ C:\WINDOWS\system32\drivers\ialmnt5.sys
2007-07-25 10:15 77,372 --a------ C:\WINDOWS\system32\ialmdnt5.dll
2007-07-25 10:15 71,514 --a------ C:\WINDOWS\system32\drivers\ialmkchw.sys
2007-07-25 10:15 533,570 --a------ C:\WINDOWS\system32\ialmdd5.dll
2007-07-25 10:15 503,808 --a------ C:\WINDOWS\system32\igfxress.dll
2007-07-25 10:15 495,616 --a------ C:\WINDOWS\system32\igfxcfg.exe
2007-07-25 10:15 45,056 --a------ C:\WINDOWS\system32\igfxdgps.dll
2007-07-25 10:15 34,367 --a------ C:\WINDOWS\system32\ialmrnt5.dll
2007-07-25 10:15 32,823 --a------ C:\WINDOWS\system32\drivers\a310.sys
2007-07-25 10:15 315,392 --a------ C:\WINDOWS\system32\igfxsrvc.dll
2007-07-25 10:15 30,263 --a------ C:\WINDOWS\system32\drivers\a311.sys
2007-07-25 10:15 266,240 --a------ C:\WINDOWS\system32\shpshftr.dll
2007-07-25 10:15 26,679 --a------ C:\WINDOWS\system32\drivers\wa301b.sys
2007-07-25 10:15 26,679 --a------ C:\WINDOWS\system32\drivers\wa301a.sys
2007-07-25 10:15 26,167 --a------ C:\WINDOWS\system32\drivers\a303.sys
2007-07-25 10:15 25,655 --a------ C:\WINDOWS\system32\drivers\a304.sys
2007-07-25 10:15 25,143 --a------ C:\WINDOWS\system32\drivers\a309.sys
2007-07-25 10:15 221,184 --a------ C:\WINDOWS\system32\igfxeud.dll
2007-07-25 10:15 204,800 --a------ C:\WINDOWS\system32\igfxpph.dll
2007-07-25 10:15 20,023 --a------ C:\WINDOWS\system32\drivers\a307.sys
2007-07-25 10:15 20,021 --a------ C:\WINDOWS\system32\drivers\vch.sys
2007-07-25 10:15 184,320 --a------ C:\WINDOWS\system32\ialmgdev.dll
2007-07-25 10:15 163,067 --a------ C:\WINDOWS\system32\ialmdev5.dll
2007-07-25 10:15 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-07-25 10:15 151,552 --a------ C:\WINDOWS\system32\igfxdiag.exe
2007-07-25 10:15 15,927 --a------ C:\WINDOWS\system32\drivers\a306.sys
2007-07-25 10:15 147,456 --a------ C:\WINDOWS\system32\igfxdev.dll
2007-07-25 10:15 118,784 --a------ C:\WINDOWS\system32\igfxhk.dll
2007-07-25 10:15 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-07-25 10:15 114,688 --a------ C:\WINDOWS\system32\hccutils.dll
2007-07-25 10:15 11,319 --a------ C:\WINDOWS\system32\drivers\a305.sys
2007-07-25 10:15 10,295 --a------ C:\WINDOWS\system32\drivers\a312.sys
2007-07-25 10:15 10,295 --a------ C:\WINDOWS\system32\drivers\a308.sys
2007-07-25 10:15 10,295 --a------ C:\WINDOWS\system32\drivers\a302.sys
2007-07-25 10:15 1,859,584 --a------ C:\WINDOWS\system32\ialmgicd.dll
2007-07-25 10:15 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-07-25 10:15 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-07-25 10:15 <DIR> d-------- C:\WINDOWS\Drivers
2007-07-25 10:15 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-07-25 10:12 2,097,152 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-25 10:12 1,310,720 --ah----- C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-07-25 10:12 1,310,720 --ah----- C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-07-25 10:12 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-07-25 10:12 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-25 10:04 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-07-25 10:04 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-07-25 10:03 225,280 ---h----- C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
2007-07-25 10:03 0 -rahs---- C:\MSDOS.SYS
2007-07-25 10:03 0 -rahs---- C:\IO.SYS
2007-07-25 10:03 0 --a------ C:\CONFIG.SYS
2007-07-25 10:03 0 --a------ C:\AUTOEXEC.BAT
2007-07-25 10:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-25 10:02 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2007-07-25 10:01 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-07-25 10:01 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2002-09-09 00:18]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2002-09-09 00:05]
"SoundMan"="SOUNDMAN.EXE" [2002-06-26 18:00 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys


Contents of the 'Scheduled Tasks' folder
2007-07-25 15:37:50 C:\WINDOWS\tasks\McDefragTask.job
2007-07-25 15:37:48 C:\WINDOWS\tasks\McQcTask.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 11:15:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-27 11:17:13

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:05 AM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185373965984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185397986218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 4969 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:01 PM

Posted 27 July 2007 - 12:10 PM

Hello compumoose,



Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

I see you have PokerStars installed.
If you didn't install it with intension to play with, I suggest you uninstall it, because in most cases, these programs are supported by malware, getting installed without asking for it and also lead you to sites where malware is lurking.
If you do play it, then leave it alone.


If you decide to get rid of it then select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe


Find and delete the following folder.

C:\Program Files\PokerStars\ <== folder

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.

You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

Post a new Hijackthis log, the BitDefender log and tell me how your computer is running.

Edited by SifuMike, 27 July 2007 - 12:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 compumoose

compumoose
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 27 July 2007 - 03:16 PM

Hi

Thank you in advance for all your help. Please find the logs you requested below.

I am running Mcafee firewall and anti-virus. The computer seems to be running ok



BitDefender Online ScannerScan report generated at: Fri, Jul 27, 2007 - 15:43:14

Scan path: A:\;C:\;D:\;E:\;

Statistics
Time 00:20:11Files 52414

Folders 201
Boot Sectors 2

Archives 720

Packed Files 3774


Results

Identified Viruses 1

Infected Files 1

Suspect Files 0

Warnings 0

Disinfected 0

Deleted Files 1

Engines Info

Virus Definitions 641242

Engine build AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins 14

Archive plugins 38

Unpack plugins 6

E-mail plugins 6

System plugins 1

Scan Settings

First Action Disinfect

Second Action Delete

Heuristics Yes

Enable Warnings Yes

Scanned Extensions *;

Exclude Extensions

Scan Emails Yes

Scan Archives Yes

Scan Packed Yes

Scan Files Yes

Scan Boot Yes

Scanned File


Status

C:\System Volume Information\_restore{00461E00-93F8-433F-A935-464E899FDCA0}\RP7\A0001223.exe


Infected with: Trojan.FakeAlert.DT

C:\System Volume Information\_restore{00461E00-93F8-433F-A935-464E899FDCA0}\RP7\A0001223.exe


Disinfection failed

C:\System Volume Information\_restore{00461E00-93F8-433F-A935-464E899FDCA0}\RP7\A0001223.exe


Deleted


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:44 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185373965984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185397986218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 5322 bytes

thanx again

compumoose

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:01 PM

Posted 27 July 2007 - 03:26 PM

Hi compumoose,

Your log looks clean! :thumbsup:
I still see PokerStars in your log, so I am assuming you want to play it and not uninstall it and remove it with Hijackthis.


Find and delete:
Combofix
C:\QOOBOX




Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:01 PM

Posted 03 August 2007 - 01:07 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users