Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Results Redirected To Search-daily.com


  • Please log in to reply
8 replies to this topic

#1 hanno

hanno

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 10 September 2007 - 05:36 AM

Second post as the first one was not accepted because of me using an old Hijackthis version.

Username "gm" - 09/10/2007 17:16:47 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"iTunesHelper"="\"D:\\ITunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"IEFilter"="C:\\Documents and Settings\\gm\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Filters\\IExpl32d.exe"
"PlaxoUpdate"="C:\\Program Files\\Plaxo\\2.13.0.12\\PlaxoHelper.exe -a"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:53 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\ITunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\ITunes\iTunes.exe
C:\WINDOWS\system32\msiexec.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {462E04E6-0AE1-4A51-96A5-339F18BE4B2D} - c:\windows\system32\eiblzncs.dll
O2 - BHO: (no name) - {6F05DF9C-DA65-49C2-8256-251F4301D627} - c:\windows\system32\yvbbvarj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8EB455DE-2007-4800-8125-732496292C15} - c:\windows\system32\omnbomn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\ITunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-18 Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'Default user')
O4 - Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\Software\..\Telephony: DomainName = ptvictoria.lan
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\System\CS1\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\System\CS2\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: deanqwbt - C:\WINDOWS\SYSTEM32\omnbomn.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/gm/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9121 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 10 September 2007 - 09:20 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum hanno :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 hanno

hanno
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 10 September 2007 - 08:07 PM

Hi Richie, and thank you for the welcome :thumbsup:

Please find below both the Combofix and Hijackthis logs (thank you in advance for your help):

ComboFix 07-09-11.1 - "gm" 2007-09-11 7:50:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.388 [GMT 7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\gm\LOCALS~1\APPLIC~1\microsoft\internet explorer\filters
C:\DOCUME~1\gm\LOCALS~1\APPLIC~1\microsoft\internet explorer\filters\filter.drv
C:\DOCUME~1\gm\LOCALS~1\APPLIC~1\microsoft\internet explorer\filters\prx531e.dll
C:\WINDOWS\system32\dbxDgrevCheck.dll
C:\WINDOWS\system32\drivers\hd_dirs.cfg
C:\WINDOWS\system32\drivers\hd_files.cfg
C:\WINDOWS\system32\drivers\hd_proc.cfg
C:\WINDOWS\system32\drivers\hd_rkeys.cfg
C:\WINDOWS\system32\drivers\hd_rvals.cfg
C:\WINDOWS\system32\drivers\hd_self.cfg


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_HFLT_IPF
-------\LEGACY_KCYKWQMB
-------\LEGACY_RDKVJZAS
-------\hflt_ipf
-------\kcykwqmb
-------\rdkvjzas


((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-11 07:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-05 08:58 102,044 --a------ C:\WINDOWS\system32\yvbbvarj.dll
2007-08-17 11:54 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-17 08:27 48,640 --a------ C:\WINDOWS\system32\lnuoonso.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 08:03 --------- d-a--c--- C:\DOCUME~1\gm\APPLIC~1\Skype
2007-09-11 08:02 --------- d-------- C:\Program Files\Plaxo
2007-09-10 09:20 126464 --a------ C:\WINDOWS\system32\selpbpmc.dll
2007-09-09 08:48 --------- d-------- C:\Program Files\iPod
2007-09-08 09:14 82944 --a------ C:\WINDOWS\system32\omnbomn.dll
2007-09-07 09:09 756224 --a------ C:\WINDOWS\system32\pmuzfnyk.dll
2007-09-07 09:09 67584 --a------ C:\WINDOWS\system32\eiblzncs.dll
2007-09-07 09:09 46592 --a------ C:\WINDOWS\system32\aioxailh.dll
2007-09-07 09:09 102912 --a------ C:\WINDOWS\system32\vsmbmujj.dll
2007-09-06 17:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 17:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 17:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 17:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 17:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 17:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-06 17:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 08:01 --------- d-a--c--- C:\DOCUME~1\gm\APPLIC~1\AdobeUM
2007-09-03 07:45 17280 --a------ C:\WINDOWS\system32\drivers\ypbuabbc.sys
2007-08-28 10:24 --------- d-------- C:\Program Files\DivX
2007-08-18 04:32 --------- d-------- C:\Program Files\Yahoo!
2007-08-17 11:58 --------- d-a------ C:\DOCUME~1\gm\APPLIC~1\Yahoo!
2007-08-15 04:29 --------- d----c--- C:\DOCUME~1\gm\APPLIC~1\LimeWire
2007-08-11 05:01 --------- d-------- C:\Program Files\Apple Software Update
2007-07-28 08:02 --------- d-------- C:\Program Files\QuickTime
2007-07-27 06:06 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-27 06:06 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-27 06:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-27 06:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 06:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-27 06:06 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-27 06:06 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-27 06:06 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-27 06:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-27 06:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-27 06:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-27 06:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-27 06:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-27 06:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-27 06:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-27 06:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-27 06:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-27 06:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-27 06:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-27 06:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-27 06:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-27 06:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-13 16:54 --------- d----c--- C:\DOCUME~1\gm\APPLIC~1\Opera
2007-07-11 18:07 --------- d-------- C:\Program Files\Alwil Software
2007-07-11 16:50 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-07-11 16:50 147729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-07-11 16:37 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-11 16:28 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-07-11 10:02 --------- d----c--- C:\DOCUME~1\ADMINI~1\APPLIC~1\SPAMfighter
2007-06-25 15:04 1184400 --a------ C:\WINDOWS\system32\FreeImage.dll
2004-09-01 00:00:00 188,416 --sh--r C:\WINDOWS\system32\mshtmldat32.exe
2004-09-01 00:00:00 188,416 --sh--r C:\WINDOWS\system32\sdrivew32.exe
2004-09-01 00:00:00 188,416 --sh--r C:\WINDOWS\system32\winlgcvers.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{462E04E6-0AE1-4A51-96A5-339F18BE4B2D}]
2007-09-07 09:09 67584 --a------ c:\windows\system32\eiblzncs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 17:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"iTunesHelper"="D:\ITunes\iTunesHelper.exe" [2007-09-07 16:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-01 07:00]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe" [2007-03-06 11:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-10-08 09:28:51]

C:\DOCUME~1\gm\STARTM~1\Programs\Startup\
OUTLOOK.EXE.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2005-10-22 15:15:28]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Phone Connection Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Phone Connection Monitor.lnk
backup=C:\WINDOWS\pss\Phone Connection Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^gm^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\gm\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^gm^Start Menu^Programs^Startup^OUTLOOK.lnk]
path=C:\Documents and Settings\gm\Start Menu\Programs\Startup\OUTLOOK.lnk
backup=C:\WINDOWS\pss\OUTLOOK.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^gm^Start Menu^Programs^Startup^Shortcut to Skype.exe.lnk]
path=C:\Documents and Settings\gm\Start Menu\Programs\Startup\Shortcut to Skype.exe.lnk
backup=C:\WINDOWS\pss\Shortcut to Skype.exe.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
-

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPAMfighter Agent]
"D:\Spamfighter\SFAgent.exe" update delay 60

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBDetector]
C:\USBStorage\USBDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04a66d9c-88b8-11db-832a-000ffe381485}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- G:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf7225bf-5d55-11da-81cb-000ffe381485}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e323fa3d-d41a-11da-8267-000ffe381485}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- G:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f510a64e-1256-11dc-83c2-000ffe381485}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- Recycled\ctfmon.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 06:47:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 08:02:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\x2.64.exe
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
**************************************************************************
.
Completion time: 2007-09-11 8:04:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-11 08:04
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:09, on 2007-09-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\ITunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {462E04E6-0AE1-4A51-96A5-339F18BE4B2D} - c:\windows\system32\eiblzncs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\ITunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-18 Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'Default user')
O4 - Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\Software\..\Telephony: DomainName = ptvictoria.lan
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\System\CS1\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\System\CS2\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/gm/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8138 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 11 September 2007 - 02:49 AM

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.
4) Click Apply/OK.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\yvbbvarj.dll
C:\WINDOWS\system32\lnuoonso.dll
C:\WINDOWS\system32\selpbpmc.dll
C:\WINDOWS\system32\omnbomn.dll
C:\WINDOWS\system32\pmuzfnyk.dll
C:\WINDOWS\system32\eiblzncs.dll
C:\WINDOWS\system32\aioxailh.dll
C:\WINDOWS\system32\vsmbmujj.dll
C:\WINDOWS\system32\drivers\ypbuabbc.sys
C:\WINDOWS\system32\mshtmldat32.exe
C:\WINDOWS\system32\sdrivew32.exe
C:\WINDOWS\system32\winlgcvers.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{462E04E6-0AE1-4A51-96A5-339F18BE4B2D}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf7225bf-5d55-11da-81cb-000ffe381485}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 hanno

hanno
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 11 September 2007 - 09:55 PM

Hi Richie,

Here goes:

ComboFix 07-09-11.1 - "gm" 2007-09-12 9:48:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.355 [GMT 7:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\yvbbvarj.dll
C:\WINDOWS\system32\lnuoonso.dll
C:\WINDOWS\system32\selpbpmc.dll
C:\WINDOWS\system32\omnbomn.dll
C:\WINDOWS\system32\pmuzfnyk.dll
C:\WINDOWS\system32\eiblzncs.dll
C:\WINDOWS\system32\aioxailh.dll
C:\WINDOWS\system32\vsmbmujj.dll
C:\WINDOWS\system32\drivers\ypbuabbc.sys
C:\WINDOWS\system32\mshtmldat32.exe
C:\WINDOWS\system32\sdrivew32.exe
C:\WINDOWS\system32\winlgcvers.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aioxailh.dll
C:\WINDOWS\system32\drivers\ypbuabbc.sys
C:\WINDOWS\system32\eiblzncs.dll
C:\WINDOWS\system32\lnuoonso.dll
C:\WINDOWS\system32\mshtmldat32.exe
C:\WINDOWS\system32\omnbomn.dll
C:\WINDOWS\system32\pmuzfnyk.dll
C:\WINDOWS\system32\sdrivew32.exe
C:\WINDOWS\system32\selpbpmc.dll
C:\WINDOWS\system32\vsmbmujj.dll
C:\WINDOWS\system32\winlgcvers.exe
C:\WINDOWS\system32\yvbbvarj.dll


((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 08:18 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-11 07:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-08-17 11:54 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 09:52 --------- d-a--c--- C:\DOCUME~1\gm\APPLIC~1\Skype
2007-09-12 09:51 --------- d-------- C:\Program Files\Plaxo
2007-09-12 08:15 --------- d-------- C:\Program Files\Yahoo!
2007-09-09 08:48 --------- d-------- C:\Program Files\iPod
2007-09-06 17:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 17:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 17:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 17:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 17:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 17:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-06 17:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 08:01 --------- d-a--c--- C:\DOCUME~1\gm\APPLIC~1\AdobeUM
2007-08-28 10:24 --------- d-------- C:\Program Files\DivX
2007-08-17 11:58 --------- d-a------ C:\DOCUME~1\gm\APPLIC~1\Yahoo!
2007-08-15 04:29 --------- d----c--- C:\DOCUME~1\gm\APPLIC~1\LimeWire
2007-08-11 05:01 --------- d-------- C:\Program Files\Apple Software Update
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a--c--- C:\WINDOWS\system32\wups.dll
2007-07-28 08:02 --------- d-------- C:\Program Files\QuickTime
2007-07-27 06:06 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-27 06:06 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-27 06:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-27 06:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 06:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-27 06:06 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-27 06:06 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-27 06:06 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-27 06:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-27 06:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-27 06:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-27 06:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-27 06:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-27 06:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-27 06:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-27 06:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-27 06:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-27 06:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-27 06:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-27 06:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-27 06:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-27 06:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-13 16:54 --------- d----c--- C:\DOCUME~1\gm\APPLIC~1\Opera
2007-07-11 16:50 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-07-11 16:50 147729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-06-25 15:04 1184400 --a------ C:\WINDOWS\system32\FreeImage.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-11_ 80340.16 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 53,608 2007-09-12 01:09:38 C:\WINDOWS\system32\perfc009.dat
----a-w 383,254 2007-09-12 01:09:38 C:\WINDOWS\system32\perfh009.dat
-c--a-w 92,504 2007-07-30 12:19:20 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 549,720 2007-07-30 12:19:36 C:\WINDOWS\system32\dllcache\wuapi.dll
-c--a-w 53,080 2007-07-30 12:19:16 C:\WINDOWS\system32\dllcache\wuauclt.exe
-c--a-w 1,712,984 2007-07-30 12:19:42 C:\WINDOWS\system32\dllcache\wuaueng.dll
-c--a-w 325,976 2007-07-30 12:19:32 C:\WINDOWS\system32\dllcache\wucltui.dll
-c--a-w 33,624 2007-07-30 12:18:40 C:\WINDOWS\system32\dllcache\wups.dll
-c--a-w 203,096 2007-07-30 12:19:28 C:\WINDOWS\system32\dllcache\wuweb.dll
----a-w 33,624 2007-07-30 12:18:40 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
----atw 16,384 2007-09-12 02:50:32 C:\WINDOWS\Temp\Perflib_Perfdata_524.dat
.
----a-w 53,608 2007-09-11 00:34:43 C:\WINDOWS\system32\perfc009.dat
----a-w 383,254 2007-09-11 00:34:43 C:\WINDOWS\system32\perfh009.dat
-c--a-w 66,560 2004-09-01 00:00:00 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 430,592 2004-09-01 00:00:00 C:\WINDOWS\system32\dllcache\wuapi.dll
-c--a-w 111,104 2004-09-01 00:00:00 C:\WINDOWS\system32\dllcache\wuauclt.exe
-c--a-w 1,134,592 2004-09-01 00:00:00 C:\WINDOWS\system32\dllcache\wuaueng.dll
-c--a-w 112,640 2004-09-01 00:00:00 C:\WINDOWS\system32\dllcache\wucltui.dll
-c--a-w 36,864 2004-09-01 00:00:00 C:\WINDOWS\system32\dllcache\wups.dll
-c--a-w 120,320 2004-09-01 00:00:00 C:\WINDOWS\system32\dllcache\wuweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 17:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"iTunesHelper"="D:\ITunes\iTunesHelper.exe" [2007-09-07 16:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe" [2007-03-06 11:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-10-08 09:28:51]

C:\DOCUME~1\gm\STARTM~1\Programs\Startup\
OUTLOOK.EXE.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2005-10-22 15:15:28]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Phone Connection Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Phone Connection Monitor.lnk
backup=C:\WINDOWS\pss\Phone Connection Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^gm^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\gm\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^gm^Start Menu^Programs^Startup^OUTLOOK.lnk]
path=C:\Documents and Settings\gm\Start Menu\Programs\Startup\OUTLOOK.lnk
backup=C:\WINDOWS\pss\OUTLOOK.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^gm^Start Menu^Programs^Startup^Shortcut to Skype.exe.lnk]
path=C:\Documents and Settings\gm\Start Menu\Programs\Startup\Shortcut to Skype.exe.lnk
backup=C:\WINDOWS\pss\Shortcut to Skype.exe.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPAMfighter Agent]
"D:\Spamfighter\SFAgent.exe" update delay 60

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBDetector]
C:\USBStorage\USBDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04a66d9c-88b8-11db-832a-000ffe381485}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- G:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e323fa3d-d41a-11da-8267-000ffe381485}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- G:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f510a64e-1256-11dc-83c2-000ffe381485}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- Recycled\ctfmon.exe

*Newly Created Service* - BITS
.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 06:47:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 09:51:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\x2.64.exe
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
**************************************************************************
.
Completion time: 2007-09-12 9:54:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-12 09:53
C:\ComboFix2.txt ... 2007-09-11 08:04
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:58, on 2007-09-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\ITunes\iTunesHelper.exe
C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\ITunes\iTunes.exe
C:\WINDOWS\system32\msiexec.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\ITunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-18 Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'Default user')
O4 - Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\Software\..\Telephony: DomainName = ptvictoria.lan
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\System\CS1\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\System\CS2\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/gm/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8338 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 12 September 2007 - 05:02 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04a66d9c-88b8-11db-832a-000ffe381485}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e323fa3d-d41a-11da-8267-000ffe381485}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f510a64e-1256-11dc-83c2-000ffe381485}]

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 hanno

hanno
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 12 September 2007 - 08:03 PM

Hi Richie,

I am afraid I will have to continue later, I am off for a holiday and will be back on the 3rd of October. Sorry, and talk to you then,

Hanno

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 13 September 2007 - 04:25 AM

Ok Hanno,thanks for the update.
Posted Image
Posted Image

#9 hanno

hanno
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 04 October 2007 - 04:41 AM

Hi Richie,

Just got back from my holidays and did as you requested. Here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/04/2007 at 04:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3318
Trace Rules Database Version: 1319

Scan type : Complete Scan
Total Scan Time : 00:31:56

Memory items scanned : 494
Memory threats detected : 0
Registry items scanned : 6550
Registry threats detected : 0
File items scanned : 32464
File threats detected : 1

Trojan.Download-Gen/DSPRPRE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YVBBVARJ.DLL.VIR


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43, on 2007-10-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\ITunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\ITunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-18 Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'Default user')
O4 - Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\Software\..\Telephony: DomainName = ptvictoria.lan
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\System\CS1\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ptvictoria.lan
O17 - HKLM\System\CS2\Services\Tcpip\..\{BB973456-5269-403C-992F-CE313C8DF602}: NameServer = 203.162.4.191,203.162.4.190
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/gm/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8615 bytes


Regards,

Hanno




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users