Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pak_generic_001, Troj_agent.whs, Virtumonde, Webuying Trouble


  • This topic is locked This topic is locked
3 replies to this topic

#1 JABOWE

JABOWE

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 01 August 2007 - 06:23 PM

Hi guys,

I have been infected with a persistent virus,adware,malware. I first recieved the Pak_generic_001 and Troj_agent.whs and that was found and quarantined by TrendMicro. I found an executable wr-1-0000077.exe(when I click on this exe the trendmicro shows the pak and trojan being quarantined) , and outerinfo.exe that I removed and webuying assistant in my registry that I removed. When i logged back into the internet, however, the files came back and have been exploding into webuying ads ads that I can't get rid of.

I have run VundoFix v6.5.6, spybot, deleted all the files i can find that do not seem familiar and still I have the ads. I am also finding that my privacy settings keep getting set to no privacy each time.

Any assistance is appreciated.

Here is my logs from hijackthis.exe -- I have noticed that there is an 02 = 20 issue and i'm not sure if its a real issue or not.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:44 PM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\COMMON~1\RACLE~1\taskmgr.exe
C:\Documents and Settings\jb6590\My Documents\s?curity\w?auclt.exe
C:\Documents and Settings\jb6590\Desktop\HijackThis.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\TEMP\JK7EC4.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Windows Desktop Search\WindowsSearchFilter.exe
C:\PROGRA~1\Windows Desktop Search\WindowsSearchFilter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycerner.cerner.com/mycerner
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://crmprdweb.cerner.com/mycerner/start.swe?SWECmd=Start
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://crmprdweb.cerner.com/mycerner/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2994563F-8C51-4DAE-BBBF-01E76864AF10} - C:\Program Files\Windows Media Player\mero83122.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\PROGRA~1\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\hgghifc.dll
O2 - BHO: (no name) - {4528350D-5841-492B-879C-D7F6C47814A7} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {4FF9ABBD-6077-4BF8-2974-3CB67841F2CC} - C:\WINDOWS\system32\lctvcing.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5b36bed2-9179-4856-b23e-d53d0abbb15b} - C:\WINDOWS\system32\ssjjjeg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\rfjuyfeu.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Srai] "C:\PROGRA~1\COMMON~1\RACLE~1\taskmgr.exe" -vt yazb
O4 - HKCU\..\Run: [Pgxsoapa] "C:\Documents and Settings\jb6590\My Documents\s?curity\w?auclt.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\jb6590\Desktop\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://crmprdweb.cerner.com/mycerner/start.swe?SWECmd=Start
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.cerner
O15 - Trusted Zone: *.cerner.com
O15 - Trusted Zone: *.northamerica.cerner.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: cerner.skillport.com
O15 - Trusted Zone: *.vccerner.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O15 - Trusted Zone: *.capeweb (HKLM)
O15 - Trusted Zone: *.cerner (HKLM)
O15 - Trusted Zone: *.cerner.com (HKLM)
O15 - Trusted Zone: *.northamerica.cerner.net (HKLM)
O15 - Trusted Zone: *.firsthandfoundation (HKLM)
O15 - Trusted Zone: *.intellinet (HKLM)
O15 - Trusted Zone: *.krpro01 (HKLM)
O15 - Trusted Zone: *.meetingplace (HKLM)
O15 - Trusted Zone: *.msprjcrtweb (HKLM)
O15 - Trusted Zone: *.msprjprdweb (HKLM)
O15 - Trusted Zone: *.mymeded (HKLM)
O15 - Trusted Zone: *.mymeded.com (HKLM)
O15 - Trusted Zone: cerner.skillport.com (HKLM)
O15 - Trusted Zone: *.vccerner.com (HKLM)
O15 - Trusted Zone: *.webwhqprd (HKLM)
O15 - Trusted Zone: *.wsswebcrtwhq01 (HKLM)
O15 - Trusted Zone: *.wsswebcrtwhq02 (HKLM)
O15 - Trusted Zone: *.wsswebwhq01 (HKLM)
O15 - Trusted Zone: *.wsswebwhq02 (HKLM)
O15 - Trusted IP range: 10.160.8.172 (HKLM)
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.cerner.com/callcenter/192...tBound_mail.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.cerner.com/callcenter/192...tBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.cerner.com/callcenter/192...Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.cerner.com/callcenter/192...x_HI_Client.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://navigator.cerner.com/callcenter/192...x_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.cerner.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.cerner.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.cerner.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = northamerica.cerner.net
O20 - Winlogon Notify: hgghifc - C:\WINDOWS\SYSTEM32\hgghifc.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScanNT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 11952 bytes


Here is my addspy file from hijackthis

C:\Documents and Settings\jb6590\Favorites\Desktop.ini : KAVICHS (68 bytes)
C:\Documents and Settings\jb6590\My Documents\desktop.ini : KAVICHS (68 bytes)
C:\Documents and Settings\jb6590\My Documents\My Music\Desktop.ini : KAVICHS (68 bytes)
C:\Documents and Settings\jb6590\My Documents\My Pictures\Desktop.ini : KAVICHS (68 bytes)

BC AdBot (Login to Remove)

 


#2 JABOWE

JABOWE
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 01 August 2007 - 06:48 PM

Here is the Combofix results

ComboFix 07-08-01.6 - "JB6590" 2007-08-01 19:27:39.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\jb6590\APPLIC~1.\racle~1
C:\DOCUME~1\jb6590\MYDOCU~1.\scurit~1
C:\DOCUME~1\jb6590\MYDOCU~1.\scurit~1\w?auclt.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~1\taskmgr.exe
C:\Program Files\Windows Media Player\mero83122.dll
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\WINDOWS\asks~1
C:\WINDOWS\poolsv.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\b10FdUe\b10FdUe1099.exe
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G1\kmhp83122.exe
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G3\wr725.exe
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\G9
C:\WINDOWS\system32\hgghifc.dll
C:\WINDOWS\system32\nnnmkjj.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wtssvit.exe


((((((((((((((((((((((((( Files Created from 2007-07-01 to 2007-08-01 )))))))))))))))))))))))))))))))


2007-08-01 19:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-01 17:13 <DIR> d-------- C:\VundoFix Backups
2007-08-01 14:30 125,504 --a------ C:\WINDOWS\system32\rfjuyfeu.dll
2007-08-01 14:28 60,928 --a------ C:\WINDOWS\system32\lctvcing.dll
2007-08-01 08:56 2,707 --a------ C:\WINDOWS\system32\eattfejm.dll
2007-08-01 08:56 2,705 --a------ C:\WINDOWS\system32\pjgcxrit.dll
2007-07-31 09:07 2,707 --a------ C:\WINDOWS\system32\twjxmvhs.dll
2007-07-31 09:02 2,707 --a------ C:\WINDOWS\system32\pthqudma.dll
2007-07-30 17:37 2,707 --a------ C:\WINDOWS\system32\hxyettpm.dll
2007-07-30 17:34 2,705 --a------ C:\WINDOWS\system32\plmnyoqj.dll
2007-07-30 15:36 <DIR> d-------- C:\Program Files\Cosmi
2007-07-30 15:36 <DIR> d-------- C:\Program Files\Common Files\Cosmi
2007-07-30 15:34 299,520 --a------ C:\WINDOWS\uninst.exe
2007-07-30 08:16 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-29 15:46 2,707 --a------ C:\WINDOWS\system32\mtutmqll.dll
2007-07-29 15:46 2,705 --a------ C:\WINDOWS\system32\udbvnoat.dll
2007-07-29 03:38 171,520 --a------ C:\WINDOWS\system32\ssjjjeg.dll
2007-07-14 20:55 <DIR> d-------- C:\Program Files\iPod
2007-07-14 20:55 <DIR> d-------- C:\DOCUME~1\jb6590\APPLIC~1\Apple Computer
2007-07-14 20:54 <DIR> d-------- C:\Program Files\iTunes
2007-07-14 20:53 <DIR> d-------- C:\Program Files\QuickTime
2007-07-14 20:53 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-14 20:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-14 20:52 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-14 20:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 10:33 --------- d-------- C:\Program Files\Messenger
2007-07-30 10:16 --------- d-------- C:\Program Files\CONEXANT
2007-07-29 21:56 --------- d-------- C:\Program Files\Connected
2007-06-16 18:52 --------- d-------- C:\Program Files\Aventail Connect
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4528350D-5841-492B-879C-D7F6C47814A7}]
C:\WINDOWS\system32\vtsqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FF9ABBD-6077-4BF8-2974-3CB67841F2CC}]
2007-08-01 09:43 60928 --a------ C:\WINDOWS\system32\lctvcing.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5b36bed2-9179-4856-b23e-d53d0abbb15b}]
2007-07-29 03:38 171520 --a------ C:\WINDOWS\system32\ssjjjeg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 15:15]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 13:33]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-05-27 23:07]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 22:00]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2007-01-07 04:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"zzzHPSETUP"="D:\Setup.exe" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"WD Button Manager"="WDBtnMgr.exe" [2007-02-19 19:16 C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"svhost"="C:\WINDOWS\svhost.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-10 08:34]
"Srai"="C:\PROGRA~1\COMMON~1\RACLE~1\taskmgr.exe" []
"Pgxsoapa"="C:\Documents and Settings\jb6590\My Documents\s?curity\w?auclt.exe" []
"HijackThis startup scan"="C:\Documents and Settings\jb6590\Desktop\HijackThis.exe" [2007-06-28 14:36]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [2004-09-13 15:21:27]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-02-19 19:17:46]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2005-11-09 20:03:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Media"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
"Btn_PrintPreview"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\PROGRA~1\Windows Desktop Search\MSNLNamespaceMgr.dll [2005-11-09 19:58 218624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-60319325-1160982951-1601773907-20064\Scripts\Logon\0\0]
"Script"=%logonserver%\netlogon\Trend\TrendServerSelect.vbs

R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\DRIVERS\tmtdi.sys
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 iPCAgent;iPCAgent;C:\Program Files\iPass\iPassConnect\iPCAgent.exe
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys
R2 NgVpnMgr;Aventail VPN Client;C:\WINDOWS\system32\ngvpnmgr.exe
R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 TmFilter;Trend Micro Filter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
R2 tmlisten;OfficeScanNT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 Afc;PPdus ASPI Shell;C:\WINDOWS\system32\drivers\Afc.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
R3 NgLog;Aventail VPN Logging;C:\WINDOWS\system32\DRIVERS\nglog.sys
R3 NgVpn;Aventail VPN Adapter;C:\WINDOWS\system32\DRIVERS\ngvpn.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
R3 w70n51;Intel® PRO/Wireless 7100 Adapter Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S3 Dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
S3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
S3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys
S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
S3 NgFilter;Aventail VPN Filter;C:\WINDOWS\system32\DRIVERS\ngfilter.sys
S3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
S3 s24trans;s24trans;C:\WINDOWS\system32\DRIVERS\s24trans.sys
S3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
S3 UIUSys;Conexant Setup API;C:\WINDOWS\system32\drivers\UIUSys.sys
S3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1ac5567-fc8e-11da-85b1-000f1fcbe260}]
AutoRun\command- E:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
2007-07-30 23:24:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 19:38:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-01 19:41:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-01 19:40

--- E O F ---

#3 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:26 AM

Posted 06 August 2007 - 03:31 AM

Hello and welcome aboard. Sorry for the delay. The helper's are busy.

Still in need of help? It's been a few days. If so, please post back with a fresh HijackThis log :thumbsup:
Hi there, stranger!

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:26 AM

Posted 15 August 2007 - 03:14 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users