Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis File And What Is This Exe: C:\windows\temp\xxxxxx.exe


  • This topic is locked This topic is locked
8 replies to this topic

#1 kayra

kayra

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 31 July 2007 - 04:21 PM

Hi

I have been noticing an exe file in the task manager processes. Each time I boot my laptop this exe file occurs ith a different name. ex: EA6C13.EXE, LO281B.EXE, NGFD6D.EXE etc... The name has always 6 alphanumeric characters and shows up in the C:\WINDOWS\TEMP\ directory. In this HijackThis log file it shows up as: C:\WINDOWS\TEMP\RF5338.EXE.

Do I have a spyware, keylogger or a virus?

Thanks in advance for your help.

here is the HijackThis log file
=========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:57:05, on 31/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\TEMP\RF5338.EXE
C:\Windows\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Trend Micro\OfficeScan Client\TSC.EXE
C:\Documents and Settings\joeblack\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bnstsrv:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176328154687
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:41 PM

Posted 05 August 2007 - 10:58 PM

Hello Kayra,

I am SifuMike and I will be helping you. :thumbsup:

Sorry for the delay, but we have many logs backed up.


I am not seeing any malware in your log except for the suspicous file RF5338.EXE in the temp folder.

We will check it with VirusTotal.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\TEMP\RF5338.EXE (the file name may have changed, so be sure to use the current name)

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

Note that I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

************************

NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log, the VirusTotal results, and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 05 August 2007 - 10:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kayra

kayra
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 08 August 2007 - 04:02 PM

Hi SifuMike

As your directions I have upload the file to virustotal site. and here is the result: (Result 0/32)


File KD7C75.EXE received on 08.08.2007 22:27:57 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.8.3.0 2007.08.08 -
AntiVir 7.4.0.57 2007.08.08 -
Authentium 4.93.8 2007.08.08 -
Avast 4.7.1029.0 2007.08.08 -
AVG 7.5.0.476 2007.08.08 -
BitDefender 7.2 2007.08.08 -
CAT-QuickHeal 9.00 2007.08.08 -
ClamAV 0.91 2007.08.08 -
DrWeb 4.33 2007.08.08 -
eSafe 7.0.15.0 2007.07.31 -
eTrust-Vet 31.1.5043 2007.08.08 -
Ewido 4.0 2007.08.08 -
FileAdvisor 1 2007.08.08 -
Fortinet 2.91.0.0 2007.08.08 -
F-Prot 4.3.2.48 2007.08.08 -
F-Secure 6.70.13030.0 2007.08.08 -
Ikarus T3.1.1.12 2007.08.08 -
Kaspersky 4.0.2.24 2007.08.08 -
McAfee 5093 2007.08.08 -
Microsoft 1.2704 2007.08.08 -
NOD32v2 2445 2007.08.08 -
Norman 5.80.02 2007.08.08 -
Panda 9.0.0.4 2007.08.08 -
Prevx1 V2 2007.08.08 -
Rising 19.35.22.00 2007.08.08 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.07 -
Symantec 10 2007.08.08 -
TheHacker 6.1.7.164 2007.08.08 -
VBA32 3.12.2.2 2007.08.07 -
VirusBuster 4.3.26:9 2007.08.08 -
Webwasher-Gateway 6.0.1 2007.08.08 -

Additional information
File size: 176195 bytes
MD5: dde38391cc972b0ef736283307786b47
SHA1: ae8408f84d48900bb227ca9a358e1979614e0e07
=====

Can it be a keylogger? This is my work laptop and I noticed that after killing the process and hooking it up to the network at work, the file shows up with a different name. I follow the same scenaria at home, it does not show up after I connect to net. I notice that the file shows up at my desktop and in some of the coleagues laptops.

Thanks in Advance
kayra.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:41 PM

Posted 08 August 2007 - 04:42 PM

Hi kayra

Can it be a keylogger?


Is this a company computer?
If so, ask your IT dept or employer if they installed a keylogger on this computer.

Almost all keyloggers are designed to run invisibly so it would not be showing anything (not even a temp file); however it makes no sense for a keylogger (if that is what it is) to use the temp folder, as you can delete that quite easily. Many of the antimalware programs will find most of keyloggers.

You forgot to post the ComobFix log.

Looks like VirusTotal did not find anything. :thumbsup:

Go to Jotti Online File Scanner copy and paste the bad file (name changes on each reboot) to the upload and scan it.

Let me know the results.
Copy and paste the output to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)



Also, please double-click on My Computer and locate the bad file (use the complete file path name.
Right-click on it and choose "Properties", then click on the "Version" tab at the top.
Click on "Comments", "Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.

Edited by SifuMike, 08 August 2007 - 05:11 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kayra

kayra
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 11 August 2007 - 08:29 AM

Hi SifuMike

Thanks for taking your time to look at my problem. In th's reply you will find in order Jotti Online File Scanner, ComboFix log and HighJackThis log files.

Also I have checked the properties of the file (xxxxxx.exe). It has no Comments, Company, File Version, and Internal Name.

Here are the log files:

This is from Jotti Online File Scanner (No virusses found)
--------------------------------------------------------------------
Service load: 0% 100%

File: ITEE71.EXE
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: dde38391cc972b0ef736283307786b47
Packers detected: -
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 11 Aug 2007 12:46:58 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
---------------------------------------------------------------


ComboFix Log

=====================================
ComboFix 07-08-09.3 - "XXXXXXXXX" 2007-08-11 15:57:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1033.18.141 [GMT 2:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-11 15:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 11:16 <DIR> d-------- C:\cryptoki
2007-07-25 10:43 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-25 10:43 <DIR> d-------- C:\Program Files\Winamp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-03 12:35 --------- d-------- C:\DOCUME~1\XXXXXXX\APPLIC~1\AdobeUM
2007-07-18 17:40 --------- d-------- C:\DOCUME~1\XXXXXXX\APPLIC~1\Skype
2007-07-10 11:56 --------- d-------- C:\Program Files\MSN Messenger
2007-07-09 19:00 --------- d-------- C:\Program Files\Skype
2007-07-09 19:00 --------- d-------- C:\Program Files\Common Files\Skype
2007-07-05 14:53 --------- d-------- C:\Program Files\Vts3
2007-07-04 15:19 --------- d-------- C:\Program Files\Xvid
2007-06-29 14:29 --------- d-------- C:\Program Files\PETLIM Tools
2007-06-26 10:27 363520 --------- C:\Windows\system32\dllcache\w3svc.dll
2007-06-21 14:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-21 14:16 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-21 14:07 --------- d-------- C:\Program Files\Rainbow Technologies
2007-06-21 14:06 --------- d-------- C:\Program Files\MasterCard Europe
2007-06-21 14:06 --------- d-------- C:\Program Files\MasterCard
2007-05-16 17:12 86528 --------- C:\Windows\system32\dllcache\directdb.dll
2007-05-16 17:12 85504 --------- C:\Windows\system32\dllcache\wabimp.dll
2007-05-16 17:12 683520 --a------ C:\Windows\system32\inetcomm.dll
2007-05-16 17:12 683520 --------- C:\Windows\system32\dllcache\inetcomm.dll
2007-05-16 17:12 510976 --------- C:\Windows\system32\dllcache\wab32.dll
2007-05-16 17:12 1314816 --------- C:\Windows\system32\dllcache\msoe.dll
2007-05-11 12:25 1156 --a------ C:\Windows\mozver.dat
2007-05-11 12:16 0 --a------ C:\Windows\nsreg.dat
2004-03-01 13:55 561179 --a------ C:\Program Files\Common Files\dao360.dll
1995-09-20 16:16 456976 --a------ C:\Windows\msapps\Dao\dao3032.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 14:17 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-02-14 11:42 C:\WINDOWS\system32\atiptaxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 17:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 17:38]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EabServr.exe" [2002-03-07 13:49]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2002-01-24 17:03]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 20:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\Windows\system32\ctfmon.exe" [2004-08-03 23:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"=C:\Windows\Cpqdiag\CpqDfwAg.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - D:\Program Files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe [2003-07-25 15:56:20]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-04-13 14:12:35]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-04-12 18:05:02]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-13 14:44:09]

R1 ClntMgmt;Compaq Client Management Driver;C:\Windows\system32\Drivers\ClntMgmt.sys
R2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;C:\Windows\Cpqdiag\Cpqdfwag.exe
R2 cpqdiag;Compaq Diagnostics Driver;\??\C:\Windows\System32\drivers\cpqdiag.sys
R2 cpqWebDmi;Compaq DMI Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
R2 cq_mem;Compaq Diagnostics Memory Driver;\??\C:\Windows\System32\drivers\cq_mem.sys
R2 cqcpu;Compaq Diagnostics CPU Driver;\??\C:\Windows\System32\drivers\cqcpu.sys
R2 IISADMIN;IIS Admin;C:\Windows\system32\inetsrv\inetinfo.exe
R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 Sentinel;Sentinel;C:\Windows\system32\Drivers\SENTINEL.SYS
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\Windows\system32\inetsrv\inetinfo.exe
R2 TM_CFW;Common Firewall Driver;\??\C:\Program Files\Trend Micro\OfficeScan Client\tm_cfw.sys
R2 tmlisten;OfficeScanNT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R3 msloop;Microsoft Loopback Adapter Driver;C:\Windows\system32\DRIVERS\loop.sys
S3 allegro;ESS Allegro Audio Driver (WDM);C:\Windows\system32\drivers\es198x.sys
S3 ltmodem5;LT Modem Driver;C:\Windows\system32\DRIVERS\ltmdmnt.sys
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\Windows\system32\DRIVERS\wg511nd5.sys
S3 SNTNLUSB;Rainbow USB SuperPro;C:\Windows\system32\DRIVERS\SNTNLUSB.SYS
S3 wlluc48;Wireless LAN PC Card Driver;C:\Windows\system32\DRIVERS\wlluc48.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7027fb32-ec12-11db-a0f4-000802664629}]
Auto\command- RavMon.exe e
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ce68751-43a8-11dc-a175-000802664629}]
Auto\command- bittorrent.exe e
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 15:59:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 16:00:27

--- E O F ---

===============================================================


HJT Log
====================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:14, on 2007-08-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\TEMP\ITEE71.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Windows\System32\svchost.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bscomm:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176328154687
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 6786 bytes
=======================================================================

Thanks again.
Kayra

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:41 PM

Posted 11 August 2007 - 01:40 PM

Hi kayra,

Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7027fb32-ec12-11db-a0f4-000802664629}]




Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



Is this a company computer?
If so, ask your IT dept or employer if they installed a keylogger on this computer.

You forgot to answer my question.




F:\HijackThis.exe

I see you moved Hijackthis to the F: drive. :thumbsup: Please move it back to the C: drive and put it in a Hijackthis folder.

Edited by SifuMike, 11 August 2007 - 01:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 kayra

kayra
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 14 August 2007 - 03:27 PM

Dear SifuMike

Yes. this is a work laptop. I talked to our security guy about the suspicious exe file and asked if it@s a keylogger. He said we don't use keyloggers and did a complete check on my laptop. Couldn't find anything, except one interesting thing: There is one interesting note is that in c:\windows\Prefetch folder there is a file related to this suspicious exe like: ND36F3.exe-0F840064.pf . The first characters match with the suspicious exe file.

Here are the log files:

ComboFix Log
========================================================
ComboFix 07-08-09.3 - "kayra" 2007-08-14 22:44:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1033.18.151 [GMT 2:00]
Command switches used :: C:\Documents and Settings\kayra\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))


2007-08-14 22:42 <DIR> d-------- C:\Hijackthis
2007-08-11 15:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 11:16 <DIR> d-------- C:\cryptoki
2007-07-25 10:43 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-25 10:43 <DIR> d-------- C:\Program Files\Winamp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-03 12:35 --------- d-------- C:\DOCUME~1\kayra\APPLIC~1\AdobeUM
2007-07-18 17:40 --------- d-------- C:\DOCUME~1\kayra\APPLIC~1\Skype
2007-07-10 11:56 --------- d-------- C:\Program Files\MSN Messenger
2007-07-09 19:00 --------- d-------- C:\Program Files\Skype
2007-07-09 19:00 --------- d-------- C:\Program Files\Common Files\Skype
2007-07-05 14:53 --------- d-------- C:\Program Files\Vts3
2007-07-04 15:19 --------- d-------- C:\Program Files\Xvid
2007-06-29 14:29 --------- d-------- C:\Program Files\PETLIM Tools
2007-06-26 10:27 363520 --------- C:\Windows\system32\dllcache\w3svc.dll
2007-06-21 14:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-21 14:16 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-21 14:07 --------- d-------- C:\Program Files\Rainbow Technologies
2007-06-21 14:06 --------- d-------- C:\Program Files\MasterCard Europe
2007-06-21 14:06 --------- d-------- C:\Program Files\MasterCard
2007-05-16 17:12 86528 --------- C:\Windows\system32\dllcache\directdb.dll
2007-05-16 17:12 85504 --------- C:\Windows\system32\dllcache\wabimp.dll
2007-05-16 17:12 683520 --a------ C:\Windows\system32\inetcomm.dll
2007-05-16 17:12 683520 --------- C:\Windows\system32\dllcache\inetcomm.dll
2007-05-16 17:12 510976 --------- C:\Windows\system32\dllcache\wab32.dll
2007-05-16 17:12 1314816 --------- C:\Windows\system32\dllcache\msoe.dll
2004-03-01 13:55 561179 --a------ C:\Program Files\Common Files\dao360.dll
1995-09-20 16:16 456976 --a------ C:\Windows\msapps\Dao\dao3032.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 14:17 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-02-14 11:42 C:\WINDOWS\system32\atiptaxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 17:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 17:38]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EabServr.exe" [2002-03-07 13:49]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2002-01-24 17:03]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 20:20]
C:\ComboFix\temp00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 14:17 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-02-14 11:42 C:\WINDOWS\system32\atiptaxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 17:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 17:38]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EabServr.exe" [2002-03-07 13:49]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2002-01-24 17:03]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 20:20]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 14:17 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-02-14 11:42 C:\WINDOWS\system32\atiptaxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 17:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 17:38]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EabServr.exe" [2002-03-07 13:49]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2002-01-24 17:03]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 20:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"=C:\Windows\Cpqdiag\CpqDfwAg.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - D:\Program Files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe [2003-07-25 15:56:20]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-04-13 14:12:35]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-04-12 18:05:02]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-13 14:44:09]

R1 ClntMgmt;Compaq Client Management Driver;C:\Windows\system32\Drivers\ClntMgmt.sys
R2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;C:\Windows\Cpqdiag\Cpqdfwag.exe
R2 cpqdiag;Compaq Diagnostics Driver;\??\C:\Windows\System32\drivers\cpqdiag.sys
R2 cpqWebDmi;Compaq DMI Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
R2 cq_mem;Compaq Diagnostics Memory Driver;\??\C:\Windows\System32\drivers\cq_mem.sys
R2 cqcpu;Compaq Diagnostics CPU Driver;\??\C:\Windows\System32\drivers\cqcpu.sys
R2 IISADMIN;IIS Admin;C:\Windows\system32\inetsrv\inetinfo.exe
R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 Sentinel;Sentinel;C:\Windows\system32\Drivers\SENTINEL.SYS
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\Windows\system32\inetsrv\inetinfo.exe
R2 TM_CFW;Common Firewall Driver;\??\C:\Program Files\Trend Micro\OfficeScan Client\tm_cfw.sys
R2 tmlisten;OfficeScanNT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R3 msloop;Microsoft Loopback Adapter Driver;C:\Windows\system32\DRIVERS\loop.sys
S3 allegro;ESS Allegro Audio Driver (WDM);C:\Windows\system32\drivers\es198x.sys
S3 ltmodem5;LT Modem Driver;C:\Windows\system32\DRIVERS\ltmdmnt.sys
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\Windows\system32\DRIVERS\wg511nd5.sys
S3 SNTNLUSB;Rainbow USB SuperPro;C:\Windows\system32\DRIVERS\SNTNLUSB.SYS
S3 wlluc48;Wireless LAN PC Card Driver;C:\Windows\system32\DRIVERS\wlluc48.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ce68751-43a8-11dc-a175-000802664629}]
Auto\command- bittorrent.exe e
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 22:46:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-14 22:48:22
C:\ComboFix2.txt ... 2007-08-11 16:00

--- E O F ---
================================================================

Hijackthislog
=============================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:00, on 2007-08-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\TEMP\ND3DF6.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Windows\explorer.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bscomm:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0 CE\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176328154687
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 6698 bytes
==================================================================================


I am just curious about this process. One of my friend advised me to have a port listenner software like zonealarm and find out if this file tries to send data to somewhere. Since it occurs in the temp folder, he thought that it might be one of Microsoft's knowledge gathering files.

Thanks for your time
Kayra.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:41 PM

Posted 14 August 2007 - 04:41 PM

Hi kayra,

Any exe running from a temp folder and changing names on reboot is very suspious. :thumbsup:

Lets dig deeper with these scans.

You will need to use Internet Explorer for this scan.

Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports " and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop.
    A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

When done, submit the BitDefender log, the AVG Anti-Spyware 7.5 log and a fresh Hijackthis log.


One of my friend advised me to have a port listenner software like zonealarm and find out if this file tries to send data to somewhere. Since it occurs in the temp folder, he thought that it might be one of Microsoft's knowledge gathering files.



I dont think it is a MS related file since they would not use the temp folder, but it my be one of your installed programs using the temp folder. Still very suspicous.


You should have a software firewall, as that is your first line of defense against malware. If you do not have a firewall on this computer, then please install one.

I do not recommend Windows XP's software firewall, as it monitors only inbound connections, offering no protection from malware already on your PC.
All commercial firewalls offer both inbound and outbound connection monitoring.

Here are five free firewalls available for personal use. If one conflicts with your system, try another. But only install one firewall as two will cause conflicts.

I use Comodo firewall and found it outperforms ZA.

You Need a (Properly Configured) Firewall
Understanding and Using Firewalls


Comodo

Sunbelt Kerio Firewall

Outpost Firewall Free

Jetico Personal Firewall

ZoneAlarm
ZoneAlarm Manual http://download.zonelabs.com/bin/media/pdf/ZAP40_manual.pdf

Edited by SifuMike, 14 August 2007 - 04:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:41 PM

Posted 22 August 2007 - 02:45 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users