Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c


  • Please log in to reply
9 replies to this topic

#1 purenoumena

purenoumena

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 August 2007 - 08:15 PM

Hello... I have a malware infection (i think) that I'm having trouble removing. I'm running windows XP. I ran through the tutorial and did everything I could. Here is what I've done so far:

I updated windows. I also disabled System Restore.

Updated and Ran Adaware (both in regular mode and in safe mode)
Updated and Ran Spybot S&D (both in regular mode and in safe mode)
Updated and Ran CCleaner (both in regular mode and in safe mode)
Updated and Ran Stinger

I tried running Panda as the tutorial suggested but it keeps saying i need to remove PC-Cillan first, and for the life of me I can't find that on my computer.

The last thing I did was install a firewall. Since I couldn't run Panda for the antivirus I ran the antivirus provided by the firewall. (Zonelabs Zone Alarm)

I ran Adaware and Spybot Many many many many times. The problem Spybot keeps coming up with is Smitfraud-C. The file that seems to keep regenerating is in my System32 folder - ldcore.dll and ldcoredll.tobedeleted (spelling isn't 100% on the second file name.) Virtumondo pops up in Spybot frequently as well.

After my last round of runs, here is my HJT log. Thanks so much for any possible advice. I hope I provided enough info.



Logfile of HijackThis v1.99.1
Scan saved at 5:47:38 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Documents and Settings\j-me\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oe.quickbooks.com/redir.cfm?page=login
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 216.193.201.57 alteredesthetics.com www.alteredesthetics.com mail.alteredesthetics.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Calendar 200X Reminder] C:\Program Files\Calendar 200X\calendar.exe notes
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\otmemgmf.dll",forkonce
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131827021340
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c7/v16.607/qboax10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA9ADD1D-51A4-4990-8DD1-7994F427317F}: NameServer = 194.54.90.226
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 10 August 2007 - 07:15 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum purenoumena
My name is Richie and i'll be helping you to fix your problems.

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 purenoumena

purenoumena
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 11 August 2007 - 12:51 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum purenoumena
My name is Richie and i'll be helping you to fix your problems.

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.


Hi Richie,
Thanks for your help!
I wasn't able to get on bleeping computer from this computer, but now I can. That's awesome!


Here are my logs:

Username "j-me" - 2007-08-11 10:58:47 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EA9ADD1D-51A4-4990-8DD1-7994F427317F}
"nameserver"="194.54.90.226" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Calendar 200X Reminder"="C:\\Program Files\\Calendar 200X\\calendar.exe notes"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SystemOptimizer"="rundll32.exe \"C:\\WINDOWS\\system32\\dwbijhbt.dll\",forkonce"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


ComboFix 07-08-10.8 - "j-me" 2007-08-11 11:08:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.261 [GMT -6:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\d.exe
C:\DOCUME~1\j-me\APPLIC~1\..\err.log
C:\DOCUME~1\LOCALS~1\APPLIC~1\.rdr.ini
C:\DOCUME~1\NETWOR~1\APPLIC~1\.rdr.ini
C:\Program Files\Common Files\lavu.dll
C:\Program Files\Common Files\lavu20.dll
C:\Program Files\icroso~1
C:\Program Files\ppatch~1
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\0c2\tmpRC.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\bpoxhvm.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\dobe~1
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\kgtkt0578.exe
C:\WINDOWS\system32\3.exe
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\A1\kmhp83122.exe
C:\WINDOWS\system32\B0
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\b06FdUe
C:\WINDOWS\system32\b06FdUe\b06FdUe1083.exe
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B1\wr73.exe
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B4
C:\WINDOWS\system32\B4\bw73.exe
C:\WINDOWS\system32\B5
C:\WINDOWS\system32\B5\z53.exe
C:\WINDOWS\SYSTEM32\bylwwfiu.ini
C:\WINDOWS\SYSTEM32\cdeeg.bak1
C:\WINDOWS\SYSTEM32\cdeeg.bak2
C:\WINDOWS\SYSTEM32\cdeeg.ini
C:\WINDOWS\SYSTEM32\cvysxxeo.ini
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\duecxmxe.exe
C:\WINDOWS\system32\dwbijhbt.dll
C:\WINDOWS\system32\edcysjne.dll
C:\WINDOWS\system32\eqkmjxrn.exe
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\f06WtR\f06WtR1083.exe
C:\WINDOWS\system32\fqtyoetb.exe
C:\WINDOWS\system32\gebxvvs.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\hhbdlpjo.exe
C:\WINDOWS\system32\ie_ban.exe
C:\WINDOWS\system32\illdknvg.exe
C:\WINDOWS\system32\iqveofun.exe
C:\WINDOWS\system32\isylndjb.exe
C:\WINDOWS\system32\jgntckln.exe
C:\WINDOWS\system32\jkklmlj.dll
C:\WINDOWS\system32\jmtduqeg.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\lfd32.ini
C:\WINDOWS\system32\lhihjnei.exe
C:\WINDOWS\system32\licajxmx.dll
C:\WINDOWS\system32\moefhgyf.dll
C:\WINDOWS\system32\msbind32.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\SYSTEM32\mxivgpgy.ini
C:\WINDOWS\system32\myapaket.exe
C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{4F0AF5AC-AC4A-45B8-9E4E-5EB6E9BBFDBA}.exe
C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{DADD5C69-77C6-4740-9E3B-0B0997E0A8B5}.exe
C:\WINDOWS\system32\oexxsyvc.dll
C:\WINDOWS\system32\orcypdbu.exe
C:\WINDOWS\system32\Outerinfo-1440.exe
C:\WINDOWS\system32\Outerinfo-1832.exe
C:\WINDOWS\system32\qwaqfqmo.exe
C:\WINDOWS\system32\qwuulerd.exe
C:\WINDOWS\system32\rearebtp.exe
C:\WINDOWS\system32\setup155.exe
C:\WINDOWS\system32\smpucrq.dll
C:\WINDOWS\SYSTEM32\tbhjibwd.ini
C:\WINDOWS\system32\tghdhvdh.exe
C:\WINDOWS\system32\uifwwlyb.dll
C:\WINDOWS\system32\user10.exe
C:\WINDOWS\system32\uumuxike.exe
C:\WINDOWS\system32\vtpvdaeg.exe
C:\WINDOWS\system32\vvtqpjwe.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\win\bw72.exe
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\system32\xixtsnen.dll
C:\WINDOWS\system32\ygpgvixm.dll
C:\WINDOWS\system32\yiqtfklf.exe
C:\WINDOWS\system32\yohkgrce.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z11
C:\WINDOWS\system32\Z11\z53.exe
C:\WINDOWS\system32\Z2
C:\WINDOWS\system32\Z2\x55.exe
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z3\w0716.exe
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z7
C:\WINDOWS\tk58.exe
C:\WINDOWS\uni_eh44.exe
C:\WINDOWS\uninst1014.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-11 11:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-11 10:59 5,429 --a------ C:\dnsbak.reg
2007-08-11 10:27 75,328 --a------ C:\WINDOWS\SYSTEM32\uupdlakj.exe
2007-08-11 10:25 75,328 --a------ C:\WINDOWS\SYSTEM32\jhdleotj.exe
2007-08-09 14:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-09 13:51 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-08-09 13:50 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-08-09 13:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-08-09 13:49 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-09 13:11 38,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ShlDrv51.sys
2007-08-09 13:11 178,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PavProc.sys
2007-08-09 13:11 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-08-09 09:31 67,584 --a------ C:\WINDOWS\SYSTEM32\l3acdb.dll
2007-08-07 14:41 25,088 --a------ C:\WINDOWS\SYSTEM32\msscds32.dll
2007-08-07 14:40 8,782 --a------ C:\WINDOWS\SYSTEM32\waverevenue.exe
2007-08-07 14:40 57,344 --a------ C:\WINDOWS\SYSTEM32\install.exe
2007-08-07 14:39 192,584 --a------ C:\WINDOWS\SYSTEM32\pwinmmdt.exe
2007-08-07 12:56 <DIR> d-------- C:\91c26e9d065caa8d968c
2007-08-07 09:31 <DIR> d-------- C:\Program Files\CCleaner
2007-08-07 09:21 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-02 11:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 11:02 <DIR> d-------- C:\DOCUME~1\j-me\APPLIC~1\MalwareBot
2007-07-28 11:12 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-28 11:08 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2007-07-28 11:08 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2007-07-28 11:08 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2007-07-28 10:06 <DIR> d-------- C:\Program Files\Common Files\kwzf
2007-07-28 10:04 <DIR> d-------- C:\WINDOWS\kwzf
2007-07-26 22:29 0 --a------ C:\WINDOWS\SYSTEM32\bpwepyx.dll
2007-07-17 12:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-17 12:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-14 11:44 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 10:48 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-11 10:28 246 --a------ C:\Program Files\Common Files\lavu20
2007-08-09 10:25 --------- d-------- C:\Program Files\Google
2007-08-03 20:31 --------- d-------- C:\Program Files\PCCW
2007-08-02 14:57 --------- d-------- C:\Program Files\Real Alternative
2007-08-01 12:30 --------- d-------- C:\DOCUME~1\j-me\APPLIC~1\AdobeUM
2007-07-17 13:54 --------- d-------- C:\Program Files\Windows NT
2007-07-17 12:20 --------- d-------- C:\Program Files\Lavasoft
2007-06-28 14:23 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2007-06-28 14:23 --------- d-------- C:\Program Files\Rhapsody
2007-06-28 14:23 --------- d-------- C:\DOCUME~1\j-me\APPLIC~1\Real
2007-06-26 14:51 55216 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-26 14:51 45056 --a------ C:\WINDOWS\system32\cdrtc.dll
2007-06-26 14:51 45056 --a------ C:\WINDOWS\system32\cdral.dll
2007-06-26 14:51 40960 --a------ C:\WINDOWS\uneng.exe
2007-06-26 14:51 22713 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-26 14:51 --------- d-------- C:\Program Files\Common Files\Adaptec Shared
2007-06-26 14:49 --------- d-------- C:\Program Files\Adaptec
2007-05-22 12:18 184320 --a------ C:\WINDOWS\system32\PhanfareScreenSaver.exe
2007-05-22 12:18 184320 --a------ C:\WINDOWS\system32\Phanfare Screensaver.scr
2007-05-16 09:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 09:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 09:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 09:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 09:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
1998-05-14 22:00 73184 --a------ C:\Program Files\Common Files\dao2535.tlb
1998-04-26 22:00 570128 --a------ C:\Program Files\Common Files\Dao350.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
2007-08-09 09:31 67584 --a------ C:\WINDOWS\system32\l3acdb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Calendar 200X Reminder"="C:\Program Files\Calendar 200X\calendar.exe" [2004-01-25 15:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-16 15:26]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 09:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 09:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-17 23:20]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-14 10:34]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

C:\Documents and Settings\j-me\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 08:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 08:00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThemesTab"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S2 tm_cfw;Common Firewall Driver;C:\WINDOWS\system32\Drivers\tm_cfw.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 MagEpNt;MagEpNt;C:\WINDOWS\system32\drivers\MagEpNt.sys


Contents of the 'Scheduled Tasks' folder
2007-08-02 17:38:47 C:\WINDOWS\Tasks\MalwareBot Scheduled Scan.job - C:\Program Files\MalwareBot\MalwareBot.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 11:31:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 11:32:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 11:31

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 12:42:13 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\j-me\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oe.quickbooks.com/redir.cfm?page=login
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Calendar 200X Reminder] C:\Program Files\Calendar 200X\calendar.exe notes
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131827021340
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c7/v16.607/qboax10.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


that's all of them...

awaiting further instruction...

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 11 August 2007 - 01:17 PM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SYSTEM32\uupdlakj.exe
C:\WINDOWS\SYSTEM32\jhdleotj.exe
C:\WINDOWS\SYSTEM32\l3acdb.dll
C:\WINDOWS\SYSTEM32\waverevenue.exe
C:\WINDOWS\SYSTEM32\pwinmmdt.exe
C:\WINDOWS\SYSTEM32\bpwepyx.dll

Folder::
C:\Program Files\Common Files\kwzf
C:\WINDOWS\kwzf

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 purenoumena

purenoumena
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 11 August 2007 - 03:10 PM

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.



Here are the new logs. Thank you so much!



ComboFix 07-08-10.8 - "j-me" 2007-08-11 14:58:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.308 [GMT -6:00]
Command switches used :: C:\Documents and Settings\j-me\Desktop\CFScript.txt

FILE::
C:\WINDOWS\SYSTEM32\uupdlakj.exe
C:\WINDOWS\SYSTEM32\jhdleotj.exe
C:\WINDOWS\SYSTEM32\l3acdb.dll
C:\WINDOWS\SYSTEM32\waverevenue.exe
C:\WINDOWS\SYSTEM32\pwinmmdt.exe
C:\WINDOWS\SYSTEM32\bpwepyx.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\kwzf
C:\Program Files\Common Files\kwzf\kwzfa.lck
C:\Program Files\Common Files\kwzf\kwzfd\class-barrel
C:\Program Files\Common Files\kwzf\kwzfd\vocabulary
C:\Program Files\Common Files\kwzf\kwzfl.lck
C:\Program Files\Common Files\kwzf\kwzfm.lck
C:\WINDOWS\kwzf
C:\WINDOWS\kwzf\kwzf.dat
C:\WINDOWS\kwzf\wu
C:\WINDOWS\SYSTEM32\bpwepyx.dll
C:\WINDOWS\SYSTEM32\jhdleotj.exe
C:\WINDOWS\SYSTEM32\pwinmmdt.exe
C:\WINDOWS\SYSTEM32\uupdlakj.exe
C:\WINDOWS\SYSTEM32\waverevenue.exe


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-11 13:44 <DIR> d-------- C:\DOCUME~1\j-me\APPLIC~1\MailFrontier
2007-08-11 13:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-11 13:38 75,932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2007-08-11 13:38 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-11 13:38 74,396 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2007-08-11 13:38 110,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kl1.sys
2007-08-11 13:38 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-08-11 13:38 104,480 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-08-11 11:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-11 10:59 5,429 --a------ C:\dnsbak.reg
2007-08-09 14:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-09 13:51 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-08-09 13:50 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-08-09 13:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-08-09 13:49 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-09 13:11 38,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ShlDrv51.sys
2007-08-09 13:11 178,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PavProc.sys
2007-08-09 13:11 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-08-07 14:41 25,088 --a------ C:\WINDOWS\SYSTEM32\msscds32.dll
2007-08-07 14:40 57,344 --a------ C:\WINDOWS\SYSTEM32\install.exe
2007-08-07 12:56 <DIR> d-------- C:\91c26e9d065caa8d968c
2007-08-07 09:31 <DIR> d-------- C:\Program Files\CCleaner
2007-08-07 09:21 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-02 11:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 11:02 <DIR> d-------- C:\DOCUME~1\j-me\APPLIC~1\MalwareBot
2007-07-28 11:12 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-28 11:08 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2007-07-28 11:08 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2007-07-28 11:08 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2007-07-17 12:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-17 12:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-14 11:44 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 15:01 2252 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-11 14:10 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-11 10:28 246 --a------ C:\Program Files\Common Files\lavu20
2007-08-09 10:25 --------- d-------- C:\Program Files\Google
2007-08-03 20:31 --------- d-------- C:\Program Files\PCCW
2007-08-02 14:57 --------- d-------- C:\Program Files\Real Alternative
2007-08-01 12:30 --------- d-------- C:\DOCUME~1\j-me\APPLIC~1\AdobeUM
2007-07-17 13:54 --------- d-------- C:\Program Files\Windows NT
2007-07-17 12:20 --------- d-------- C:\Program Files\Lavasoft
2007-06-28 14:23 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2007-06-28 14:23 --------- d-------- C:\Program Files\Rhapsody
2007-06-28 14:23 --------- d-------- C:\DOCUME~1\j-me\APPLIC~1\Real
2007-06-26 14:51 55216 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-26 14:51 45056 --a------ C:\WINDOWS\system32\cdrtc.dll
2007-06-26 14:51 45056 --a------ C:\WINDOWS\system32\cdral.dll
2007-06-26 14:51 40960 --a------ C:\WINDOWS\uneng.exe
2007-06-26 14:51 22713 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-26 14:51 --------- d-------- C:\Program Files\Common Files\Adaptec Shared
2007-06-26 14:49 --------- d-------- C:\Program Files\Adaptec
2007-05-22 12:18 184320 --a------ C:\WINDOWS\system32\PhanfareScreenSaver.exe
2007-05-22 12:18 184320 --a------ C:\WINDOWS\system32\Phanfare Screensaver.scr
2007-05-16 09:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 09:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 09:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 09:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 09:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
1998-05-14 22:00 73184 --a------ C:\Program Files\Common Files\dao2535.tlb
1998-04-26 22:00 570128 --a------ C:\Program Files\Common Files\Dao350.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Calendar 200X Reminder"="C:\Program Files\Calendar 200X\calendar.exe" [2004-01-25 15:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-16 15:26]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 09:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 09:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-17 23:20]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-14 10:34]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

C:\Documents and Settings\j-me\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 08:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 08:00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThemesTab"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S2 tm_cfw;Common Firewall Driver;C:\WINDOWS\system32\Drivers\tm_cfw.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 MagEpNt;MagEpNt;C:\WINDOWS\system32\drivers\MagEpNt.sys


Contents of the 'Scheduled Tasks' folder
2007-08-02 17:38:47 C:\WINDOWS\Tasks\MalwareBot Scheduled Scan.job - C:\Program Files\MalwareBot\MalwareBot.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 15:02:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 15:04:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 15:04
C:\ComboFix2.txt ... 2007-08-11 11:32

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 3:08:29 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\j-me\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oe.quickbooks.com/redir.cfm?page=login
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Calendar 200X Reminder] C:\Program Files\Calendar 200X\calendar.exe notes
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131827021340
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c7/v16.607/qboax10.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 11 August 2007 - 03:33 PM

You've no virus protection installed but you have got the remnants of Panda still on your pc,so lets remove those first.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop PavPrSrv
sc delete PavPrSrv

Restart your pc.

---------------------------------------------------

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\Common Files\Panda Software

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

---------------------------------------------------

Download\install one of the following freeware antivirus programs from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

---------------------------------------------------

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.

Now run AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

1) Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

2) Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done,then restart your pc.

Post the AVG Anti-Spyware report and a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#7 purenoumena

purenoumena
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 14 August 2007 - 01:03 PM

Sorry for the few days delay, I'm not at this computer every day.

I ran AVG then ran AVG 7.5 as instructed. However - it didn't save a log the first time! I'm not sure why - I checked and I did have everything set exactly as instructed.

It saved a log the second time, there were no problems detected, so I don't know if that is helpful.

Here is my second AVG log as well as my Hijack this log.

Now that I've installed AVG, however, I cannot check e-mail through thunderbird. Is there an automatic block setting i should be aware of? thanks
Jme



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A V G A n t i - S p y w a r e - S c a n R e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



+ C r e a t e d a t : 1 2 : 3 5 : 2 4 P M 8 / 1 4 / 2 0 0 7



+ S c a n r e s u l t :







N o t h i n g f o u n d .





: : R e p o r t e n d


Logfile of HijackThis v1.99.1
Scan saved at 12:37:36 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\j-me\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oe.quickbooks.com/redir.cfm?page=login
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Calendar 200X Reminder] C:\Program Files\Calendar 200X\calendar.exe notes
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131827021340
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c7/v16.607/qboax10.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 14 August 2007 - 02:10 PM

Your log is clean.

Now that I've installed AVG, however, I cannot check e-mail through thunderbird.

Try uninstalling AVG via Start/Control Panel/Add or Remove Programs,then restart your pc.
Let me know what happens.
Posted Image
Posted Image

#9 purenoumena

purenoumena
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 16 August 2007 - 06:25 PM

Your log is clean.

Now that I've installed AVG, however, I cannot check e-mail through thunderbird.

Try uninstalling AVG via Start/Control Panel/Add or Remove Programs,then restart your pc.
Let me know what happens.



Everything seems to be running o-k now. I'm working out the setup in the firewall and AVG to make sure we can run our credit card processes, etc. It is an older computer so with the AVG and Firewall running a few things are slowed down just a bit, but definitely worth the slight lag to protect what happened from happening again! thank you so much!!!

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 16 August 2007 - 07:33 PM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Fixwareout.exe
Combofix.exe
fix.bat
OTMoveIt,exe

C:\Fixwareout
C:\Qoobox
C:\_OTMoveIt

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

--------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users