Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log : Please Help Diagnose


  • This topic is locked This topic is locked
8 replies to this topic

#1 ejack37

ejack37

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 13 September 2007 - 09:06 PM

PLEASE HELP!
I have run BitDefender and Avast Antivirus and still cannot be rid of whatever it is!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:30 PM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\vawotpdx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ISM\ISMModule4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe
C:\Documents and Settings\Administrator\Desktop\SUPPORT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {7ADDD52B-58D5-4AAF-A1D1-19FEB9DA422F} - C:\WINDOWS\system32\sstqn.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\awtsroo.dll
O2 - BHO: (no name) - {CC90DF22-30EE-1B39-EA5A-3D76651854CE} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [teje] C:\Program Files\Accessories\teje22011.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DA197C7734672DE3F516CAC59B6
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [{E3-37-76-65-ZN}] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [Seue] "C:\DOCUME~1\ADMINI~1\APPLIC~1\YMBOLS~1\wuaclt.exe" -vt ndrv
O4 - HKCU\..\Run: [Fok] "C:\Documents and Settings\Administrator\My Documents\F?nts\cmd.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\kfneq.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\thinksnet.exe
O4 - Global Startup: LogMeIn.lnk = C:\Program Files\LogMeIn\raabout.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131125483234
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: awtsroo - C:\WINDOWS\SYSTEM32\awtsroo.dll
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Um9iZXJ0\command.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\vawotpdx.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: sqlOFFICE1 (SQLANYs_sqlOFFICE1) - Unknown owner - C:\MICROS\Database\SQLAny50\WIN32\DBSrv50.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6664 bytes

BC AdBot (Login to Remove)

 


#2 ejack37

ejack37
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 14 September 2007 - 12:08 AM

Oh Sorry forgot to put the type of virus ...keep getting popups from fling.com and internet speed monitor...Ran BitDefender, Avast, Panda, and trying Kaspersky free scans and keep getting trojan virues (rond,vundo and probably some others.) Also can't uninstall Command, Network Monitor and Words in Add/Remove Programs. Please Help what can I do?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:00 AM

Posted 14 September 2007 - 09:54 AM

Hello ejack37,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 ejack37

ejack37
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 15 September 2007 - 02:45 AM

Thanks for the response here is the info you asked for.



Combofix Log

ComboFix 07-09-14.2 - "Administrator" 2007-09-15 0:17:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.284 [GMT -7:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-14 22:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 21:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-13 21:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-13 20:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-13 18:56 13,773 --------- C:\DOCUME~1\ADMINI~1\ie_update3r.exe
2007-09-12 21:44 <DIR> d-------- C:\WINDOWS\pss
2007-09-12 20:30 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-09-12 20:30 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\BitDefender
2007-09-12 20:27 <DIR> d-------- C:\Program Files\BitDefender
2007-09-12 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-09-12 20:23 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-09-12 19:45 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-12 19:09 43,392 --a------ C:\WINDOWS\system32\drivers\Athfmwdl.sys
2007-09-12 19:09 285,568 --a------ C:\WINDOWS\system32\drivers\ar5523.sys
2007-09-12 19:09 142,768 --a------ C:\WINDOWS\system32\drivers\ar5523.bin
2007-09-05 02:50 <DIR> d-------- C:\Program Files\Words
2007-09-04 16:38 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-04 15:50 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-04 12:22 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-08-30 14:33 2,006,138 --ahs---- C:\WINDOWS\system32\nqtss.ini2
2007-08-29 12:50 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-28 16:46 75,328 --------- C:\WINDOWS\system32\vawotpdx.exe
2007-08-28 04:44 2,006,384 --ahs---- C:\WINDOWS\system32\nqtss.bak2
2007-08-27 11:18 2,019,308 --ahs---- C:\WINDOWS\system32\nqtss.bak1
2007-08-27 11:17 298,080 --a------ C:\WINDOWS\system32\sstqn.dll
2007-08-27 11:12 43,542 --a------ C:\WINDOWS\system32\awtsroo.dll
2007-08-27 11:12 <DIR> d--hs---- C:\WINDOWS\Um9iZXJ0
2007-08-27 11:12 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\tempsz11
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\drvfig32
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\dllz1
2007-08-19 09:42 7,818 --a------ C:\sysboyp.exe
2007-08-19 09:25 <DIR> d-------- C:\Program Files\WinBudget

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-04 17:52 --------- d-------- C:\Program Files\McAfee.com
2007-09-04 17:47 --------- d-------- C:\Program Files\Full Tilt Poker.Net
2007-09-04 17:45 --------- d-------- C:\Program Files\OpenTable
2007-09-04 17:41 --------- d-------- C:\Program Files\SPAMfighter
2007-09-04 17:40 --------- d-------- C:\Program Files\NoAdware4
2007-09-04 17:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-09-04 17:11 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-09-04 17:10 --------- d-------- C:\Program Files\Dell
2007-08-27 11:12 --------- dr------- C:\Program Files\Accessories
2007-08-24 13:05 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-08-02 17:03 188432 --a------ C:\WINDOWS\system32\drivers\bdfsfltr.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 18:47 87568 --a------ C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-07-20 15:54 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2004-07-16 17:10 266 ---hs---- C:\Program Files\desktop.ini
2004-07-16 17:10 11079 --ah----- C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B9553FF-47DC-4328-8A6A-6DF9109BFBEC}]
2007-08-27 11:17 298080 --a------ C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
2007-08-27 11:12 43542 --a------ C:\WINDOWS\system32\awtsroo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC90DF22-30EE-1B39-EA5A-3D76651854CE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" []
"MaxtorOneTouch"="C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" []
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" []
"ToolExe"="c:\program files\dell\traytool.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"Wise-FTP Scheduler"="" []
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" []
"Seue"="C:\DOCUME~1\ADMINI~1\APPLIC~1\YMBOLS~1\wuaclt.exe" []
"Fok"="C:\Documents and Settings\Administrator\My Documents\F?nts\cmd.exe" []
"Words"="C:\Program Files\Words\Words.exe" [2007-09-05 02:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"= C:\WINDOWS\system32\awtsroo.dll [2007-08-27 11:12 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsroo]
awtsroo.dll 2007-08-27 11:12 43542 C:\WINDOWS\system32\awtsroo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqn]
C:\WINDOWS\system32\sstqn.dll 2007-08-27 11:17 298080 C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"wuauserv"=2 (0x2)

R1 bdftdif;bdftdif;\??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys
R3 bdfsfltr;bdfsfltr;C:\WINDOWS\system32\DRIVERS\bdfsfltr.sys
R3 BDSelfPr;BDSelfPr;\??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys
R3 scan;BitDefender Threat Scanner;C:\WINDOWS\System32\svchost.exe -kbdx
S3 AR5523;Atheros USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5523.sys
S3 ATHFMWDL;Atheros USB Wireless Adapter Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;\??\D:\PNDIS5.SYS
S3 SQLANYs_sqlOFFICE1;sqlOFFICE1;C:\MICROS\Database\SQLAny50\WIN32\DBSrv50.exe -hvSQLANYs_sqlOFFICE1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan

.
Contents of the 'Scheduled Tasks' folder
"2007-08-28 05:22:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 00:31:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
Completion time: 2007-09-15 0:37:19
C:\ComboFix-quarantined-files.txt ... 2007-09-15 00:37
.
--- E O F ---

________________________________


New HijackThis Log

ComboFix 07-09-14.2 - "Administrator" 2007-09-15 0:17:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.284 [GMT -7:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-14 22:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 21:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-13 21:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-13 20:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-13 18:56 13,773 --------- C:\DOCUME~1\ADMINI~1\ie_update3r.exe
2007-09-12 21:44 <DIR> d-------- C:\WINDOWS\pss
2007-09-12 20:30 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-09-12 20:30 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\BitDefender
2007-09-12 20:27 <DIR> d-------- C:\Program Files\BitDefender
2007-09-12 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-09-12 20:23 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-09-12 19:45 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-12 19:09 43,392 --a------ C:\WINDOWS\system32\drivers\Athfmwdl.sys
2007-09-12 19:09 285,568 --a------ C:\WINDOWS\system32\drivers\ar5523.sys
2007-09-12 19:09 142,768 --a------ C:\WINDOWS\system32\drivers\ar5523.bin
2007-09-05 02:50 <DIR> d-------- C:\Program Files\Words
2007-09-04 16:38 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-04 15:50 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-04 12:22 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-08-30 14:33 2,006,138 --ahs---- C:\WINDOWS\system32\nqtss.ini2
2007-08-29 12:50 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-28 16:46 75,328 --------- C:\WINDOWS\system32\vawotpdx.exe
2007-08-28 04:44 2,006,384 --ahs---- C:\WINDOWS\system32\nqtss.bak2
2007-08-27 11:18 2,019,308 --ahs---- C:\WINDOWS\system32\nqtss.bak1
2007-08-27 11:17 298,080 --a------ C:\WINDOWS\system32\sstqn.dll
2007-08-27 11:12 43,542 --a------ C:\WINDOWS\system32\awtsroo.dll
2007-08-27 11:12 <DIR> d--hs---- C:\WINDOWS\Um9iZXJ0
2007-08-27 11:12 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\tempsz11
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\drvfig32
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\dllz1
2007-08-19 09:42 7,818 --a------ C:\sysboyp.exe
2007-08-19 09:25 <DIR> d-------- C:\Program Files\WinBudget

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-04 17:52 --------- d-------- C:\Program Files\McAfee.com
2007-09-04 17:47 --------- d-------- C:\Program Files\Full Tilt Poker.Net
2007-09-04 17:45 --------- d-------- C:\Program Files\OpenTable
2007-09-04 17:41 --------- d-------- C:\Program Files\SPAMfighter
2007-09-04 17:40 --------- d-------- C:\Program Files\NoAdware4
2007-09-04 17:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-09-04 17:11 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-09-04 17:10 --------- d-------- C:\Program Files\Dell
2007-08-27 11:12 --------- dr------- C:\Program Files\Accessories
2007-08-24 13:05 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-08-02 17:03 188432 --a------ C:\WINDOWS\system32\drivers\bdfsfltr.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 18:47 87568 --a------ C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-07-20 15:54 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2004-07-16 17:10 266 ---hs---- C:\Program Files\desktop.ini
2004-07-16 17:10 11079 --ah----- C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B9553FF-47DC-4328-8A6A-6DF9109BFBEC}]
2007-08-27 11:17 298080 --a------ C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
2007-08-27 11:12 43542 --a------ C:\WINDOWS\system32\awtsroo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC90DF22-30EE-1B39-EA5A-3D76651854CE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" []
"MaxtorOneTouch"="C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" []
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" []
"ToolExe"="c:\program files\dell\traytool.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"Wise-FTP Scheduler"="" []
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" []
"Seue"="C:\DOCUME~1\ADMINI~1\APPLIC~1\YMBOLS~1\wuaclt.exe" []
"Fok"="C:\Documents and Settings\Administrator\My Documents\F?nts\cmd.exe" []
"Words"="C:\Program Files\Words\Words.exe" [2007-09-05 02:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"= C:\WINDOWS\system32\awtsroo.dll [2007-08-27 11:12 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsroo]
awtsroo.dll 2007-08-27 11:12 43542 C:\WINDOWS\system32\awtsroo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqn]
C:\WINDOWS\system32\sstqn.dll 2007-08-27 11:17 298080 C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"wuauserv"=2 (0x2)

R1 bdftdif;bdftdif;\??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys
R3 bdfsfltr;bdfsfltr;C:\WINDOWS\system32\DRIVERS\bdfsfltr.sys
R3 BDSelfPr;BDSelfPr;\??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys
R3 scan;BitDefender Threat Scanner;C:\WINDOWS\System32\svchost.exe -kbdx
S3 AR5523;Atheros USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5523.sys
S3 ATHFMWDL;Atheros USB Wireless Adapter Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;\??\D:\PNDIS5.SYS
S3 SQLANYs_sqlOFFICE1;sqlOFFICE1;C:\MICROS\Database\SQLAny50\WIN32\DBSrv50.exe -hvSQLANYs_sqlOFFICE1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan

.
Contents of the 'Scheduled Tasks' folder
"2007-08-28 05:22:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 00:31:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
Completion time: 2007-09-15 0:37:19
C:\ComboFix-quarantined-files.txt ... 2007-09-15 00:37
.
--- E O F ---

#5 ejack37

ejack37
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 15 September 2007 - 02:47 AM

SORRY Here is the actual HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:41 AM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Words\Words.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\SUPPORT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B9553FF-47DC-4328-8A6A-6DF9109BFBEC} - C:\WINDOWS\system32\sstqn.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\awtsroo.dll
O2 - BHO: (no name) - {CC90DF22-30EE-1B39-EA5A-3D76651854CE} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [Seue] "C:\DOCUME~1\ADMINI~1\APPLIC~1\YMBOLS~1\wuaclt.exe" -vt ndrv
O4 - HKCU\..\Run: [Fok] "C:\Documents and Settings\Administrator\My Documents\F?nts\cmd.exe"
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - Global Startup: LogMeIn.lnk = C:\Program Files\LogMeIn\raabout.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131125483234
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: awtsroo - C:\WINDOWS\SYSTEM32\awtsroo.dll
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: sqlOFFICE1 (SQLANYs_sqlOFFICE1) - Unknown owner - C:\MICROS\Database\SQLAny50\WIN32\DBSrv50.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5200 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:00 AM

Posted 15 September 2007 - 12:05 PM

Hello,

Something interfered with ComboFix, and I believe it was Microsoft AntiSpyware, which is now Windows Defender. I suggest you uninstall Microsoft AntiSpyware, and install Windows Defender when your system is clean. After you uninstall, please run ComboFix again and post the report, please.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 ejack37

ejack37
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 15 September 2007 - 12:40 PM

Uninstalled the Microsoft Antivirus here is the new combofix Log

ComboFix 07-09-14.2 - "Administrator" 2007-09-15 10:15:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -7:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-14 22:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 21:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-13 21:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-13 20:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-13 18:56 13,773 --------- C:\DOCUME~1\ADMINI~1\ie_update3r.exe
2007-09-12 21:44 <DIR> d-------- C:\WINDOWS\pss
2007-09-12 20:30 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-09-12 20:30 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\BitDefender
2007-09-12 20:27 <DIR> d-------- C:\Program Files\BitDefender
2007-09-12 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-09-12 20:23 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-09-12 19:45 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-12 19:09 43,392 --a------ C:\WINDOWS\system32\drivers\Athfmwdl.sys
2007-09-12 19:09 285,568 --a------ C:\WINDOWS\system32\drivers\ar5523.sys
2007-09-12 19:09 142,768 --a------ C:\WINDOWS\system32\drivers\ar5523.bin
2007-09-05 02:50 <DIR> d-------- C:\Program Files\Words
2007-09-04 16:38 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-04 15:50 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-04 12:22 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-08-30 14:33 2,006,138 --ahs---- C:\WINDOWS\system32\nqtss.ini2
2007-08-29 12:50 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-28 16:46 75,328 --------- C:\WINDOWS\system32\vawotpdx.exe
2007-08-28 04:44 2,006,384 --ahs---- C:\WINDOWS\system32\nqtss.bak2
2007-08-27 11:18 2,019,308 --ahs---- C:\WINDOWS\system32\nqtss.bak1
2007-08-27 11:17 298,080 --a------ C:\WINDOWS\system32\sstqn.dll
2007-08-27 11:12 43,542 --a------ C:\WINDOWS\system32\awtsroo.dll
2007-08-27 11:12 <DIR> d--hs---- C:\WINDOWS\Um9iZXJ0
2007-08-27 11:12 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\tempsz11
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\drvfig32
2007-08-27 11:11 <DIR> d-------- C:\WINDOWS\system32\dllz1
2007-08-19 09:42 7,818 --a------ C:\sysboyp.exe
2007-08-19 09:25 <DIR> d-------- C:\Program Files\WinBudget

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 10:10 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-09-04 17:52 --------- d-------- C:\Program Files\McAfee.com
2007-09-04 17:47 --------- d-------- C:\Program Files\Full Tilt Poker.Net
2007-09-04 17:45 --------- d-------- C:\Program Files\OpenTable
2007-09-04 17:41 --------- d-------- C:\Program Files\SPAMfighter
2007-09-04 17:40 --------- d-------- C:\Program Files\NoAdware4
2007-09-04 17:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-09-04 17:10 --------- d-------- C:\Program Files\Dell
2007-08-27 11:12 --------- dr------- C:\Program Files\Accessories
2007-08-24 13:05 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-08-02 17:03 188432 --a------ C:\WINDOWS\system32\drivers\bdfsfltr.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 18:47 87568 --a------ C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-07-20 15:54 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2004-07-16 17:10 266 ---hs---- C:\Program Files\desktop.ini
2004-07-16 17:10 11079 --ah----- C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot_2007-09-15_ 03458.00 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 62,344 2007-09-15 07:39:34 C:\WINDOWS\system32\perfc009.dat
----a-w 401,064 2007-09-15 07:39:34 C:\WINDOWS\system32\perfh009.dat
.
----a-w 62,344 2007-09-14 01:17:59 C:\WINDOWS\system32\perfc009.dat
----a-w 401,064 2007-09-14 01:18:00 C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B9553FF-47DC-4328-8A6A-6DF9109BFBEC}]
2007-08-27 11:17 298080 --a------ C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
2007-08-27 11:12 43542 --a------ C:\WINDOWS\system32\awtsroo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC90DF22-30EE-1B39-EA5A-3D76651854CE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" []
"MaxtorOneTouch"="C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" []
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" []
"ToolExe"="c:\program files\dell\traytool.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"Wise-FTP Scheduler"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" []
"Seue"="C:\DOCUME~1\ADMINI~1\APPLIC~1\YMBOLS~1\wuaclt.exe" []
"Fok"="C:\Documents and Settings\Administrator\My Documents\F?nts\cmd.exe" []
"Words"="C:\Program Files\Words\Words.exe" [2007-09-05 02:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"= C:\WINDOWS\system32\awtsroo.dll [2007-08-27 11:12 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsroo]
awtsroo.dll 2007-08-27 11:12 43542 C:\WINDOWS\system32\awtsroo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqn]
C:\WINDOWS\system32\sstqn.dll 2007-08-27 11:17 298080 C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"wuauserv"=2 (0x2)

R1 bdftdif;bdftdif;\??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
R3 AR5523;Atheros USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5523.sys
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys
R3 bdfsfltr;bdfsfltr;C:\WINDOWS\system32\DRIVERS\bdfsfltr.sys
R3 BDSelfPr;BDSelfPr;\??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys
R3 scan;BitDefender Threat Scanner;C:\WINDOWS\System32\svchost.exe -kbdx
S3 ATHFMWDL;Atheros USB Wireless Adapter Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;\??\D:\PNDIS5.SYS
S3 SQLANYs_sqlOFFICE1;sqlOFFICE1;C:\MICROS\Database\SQLAny50\WIN32\DBSrv50.exe -hvSQLANYs_sqlOFFICE1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan

.
Contents of the 'Scheduled Tasks' folder
"2007-08-28 05:22:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 10:21:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
Completion time: 2007-09-15 10:27:10
C:\ComboFix-quarantined-files.txt ... 2007-09-15 10:27
C:\ComboFix2.txt ... 2007-09-15 00:37
.
--- E O F ---

And Here is the New Hijack Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:51 AM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Words\Words.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\SUPPORT\HiJackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B9553FF-47DC-4328-8A6A-6DF9109BFBEC} - C:\WINDOWS\system32\sstqn.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\awtsroo.dll
O2 - BHO: (no name) - {CC90DF22-30EE-1B39-EA5A-3D76651854CE} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [Seue] "C:\DOCUME~1\ADMINI~1\APPLIC~1\YMBOLS~1\wuaclt.exe" -vt ndrv
O4 - HKCU\..\Run: [Fok] "C:\Documents and Settings\Administrator\My Documents\F?nts\cmd.exe"
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - Global Startup: LogMeIn.lnk = C:\Program Files\LogMeIn\raabout.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131125483234
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: awtsroo - C:\WINDOWS\SYSTEM32\awtsroo.dll
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: sqlOFFICE1 (SQLANYs_sqlOFFICE1) - Unknown owner - C:\MICROS\Database\SQLAny50\WIN32\DBSrv50.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5154 bytes

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:00 AM

Posted 18 September 2007 - 03:47 PM

I have no idea how I missed this. :thumbsup: Are you still with me?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:00 AM

Posted 28 September 2007 - 05:10 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users