Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
6 replies to this topic

#1 brc911

brc911

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 15 September 2007 - 03:35 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:19 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\HACE\Mmm\Mmm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WCAT.EXE
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\SlimBrowser\sbrowser.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8082
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-1085806099-3993469562-2165517387-1003\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-1085806099-3993469562-2165517387-1003 Startup: WCAT.EXE (User '?')
O4 - Startup: WCAT.EXE
O4 - Global Startup: WCAT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5131 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 16 September 2007 - 09:35 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum brc911 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 brc911

brc911
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 19 September 2007 - 02:54 PM

ComboFix 07-09-19.8 - "Owner" 2007-09-19 15:40:40.1 - NTFSx86
.

((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-19 15:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-17 12:41 <DIR> d-------- C:\Program Files\Virtools
2007-09-15 22:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-09-15 21:24 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2007-09-15 16:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-15 16:16 <DIR> d-------- C:\Program Files\SpywareGuard
2007-09-14 14:44 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-09-14 14:41 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-09-14 14:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Thunderbird
2007-09-11 20:58 <DIR> d-------- C:\Program Files\Duplicate File Finder
2007-09-11 20:36 <DIR> d-------- C:\WINDOWS\$regcmp$
2007-09-11 18:22 12,289,777 --------- C:\AVG7QT.DAT
2007-09-10 21:51 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-09-10 21:50 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-09-10 19:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-10 15:58 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-10 14:28 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Opera
2007-09-10 14:20 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SlimBrowser
2007-09-10 14:19 <DIR> d-------- C:\Program Files\SlimBrowser
2007-09-02 21:12 <DIR> d-------- C:\WINDOWS\E31C348B63A94CBF8D7FD932ABB63244.TMP
2007-08-27 19:49 <DIR> d-------- C:\WINDOWS\0E6AB9FC76C2431B9C066C1CFFFEA8EB.TMP
2007-08-27 19:45 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 21:20 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\teamspeak2
2007-09-15 02:47 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-15 02:37 --------- d-------- C:\Program Files\MRU-Blaster
2007-09-14 23:45 --------- d-------- C:\Program Files\a-squared Free
2007-09-11 23:16 --------- d-------- C:\Program Files\Winamp3
2007-09-11 21:22 --------- d-------- C:\Program Files\RegScrubXP
2007-09-11 21:22 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WinPatrol
2007-09-11 21:21 --------- d-------- C:\Program Files\Common Files\Motive
2007-09-10 14:27 --------- d-------- C:\Program Files\Opera
2007-09-02 21:59 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-01 15:18 --------- d-------- C:\Program Files\IE7Pro
2007-09-01 14:24 --------- d-------- C:\Program Files\DirectVobSub
2007-09-01 14:23 --------- d-------- C:\Program Files\Axis Communications
2007-07-26 19:06 43528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2003-06-04 22:19 3952016 --a--c--- C:\Program Files\WD97VW32.EXE
2004-08-04 07:56:43 54,784 -csh--w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56:44 553,472 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56:55 11,776 -csh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 17:13]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-15 22:51]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 18:30]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-11 18:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mmm"="C:\Program Files\HACE\Mmm\Mmm.exe" [2007-05-16 14:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
WCAT.EXE [1999-12-17 19:22:04]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
WCAT.EXE [1999-12-17 19:22:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=01000000
"NoRecentDocsMenu"=01000000
"NoRecentDocsHistory"=1000000 (0xf4240)
"NoLogoff"=0 (0x0)
"NoSMBalloonTip"=0 (0x0)
"NoInstrumentation"=1 (0x1)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)


*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 15:45:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 15:48:17
.
--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:34 PM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\HACE\Mmm\Mmm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WCAT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WCAT.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8082
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-1085806099-3993469562-2165517387-1003\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-1085806099-3993469562-2165517387-1003 Startup: WCAT.EXE (User '?')
O4 - Startup: WCAT.EXE
O4 - Global Startup: WCAT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4890 bytes

#4 brc911

brc911
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 19 September 2007 - 02:58 PM

ComboFix 07-09-19.8 - "Owner" 2007-09-19 15:40:40.1 - NTFSx86
.

((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-19 15:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-17 12:41 <DIR> d-------- C:\Program Files\Virtools
2007-09-15 22:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-09-15 21:24 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2007-09-15 16:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-15 16:16 <DIR> d-------- C:\Program Files\SpywareGuard
2007-09-14 14:44 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-09-14 14:41 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-09-14 14:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Thunderbird
2007-09-11 20:58 <DIR> d-------- C:\Program Files\Duplicate File Finder
2007-09-11 20:36 <DIR> d-------- C:\WINDOWS\$regcmp$
2007-09-11 18:22 12,289,777 --------- C:\AVG7QT.DAT
2007-09-10 21:51 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-09-10 21:50 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-09-10 19:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-10 15:58 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-10 14:28 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Opera
2007-09-10 14:20 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SlimBrowser
2007-09-10 14:19 <DIR> d-------- C:\Program Files\SlimBrowser
2007-09-02 21:12 <DIR> d-------- C:\WINDOWS\E31C348B63A94CBF8D7FD932ABB63244.TMP
2007-08-27 19:49 <DIR> d-------- C:\WINDOWS\0E6AB9FC76C2431B9C066C1CFFFEA8EB.TMP
2007-08-27 19:45 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 21:20 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\teamspeak2
2007-09-15 02:47 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-15 02:37 --------- d-------- C:\Program Files\MRU-Blaster
2007-09-14 23:45 --------- d-------- C:\Program Files\a-squared Free
2007-09-11 23:16 --------- d-------- C:\Program Files\Winamp3
2007-09-11 21:22 --------- d-------- C:\Program Files\RegScrubXP
2007-09-11 21:22 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WinPatrol
2007-09-11 21:21 --------- d-------- C:\Program Files\Common Files\Motive
2007-09-10 14:27 --------- d-------- C:\Program Files\Opera
2007-09-02 21:59 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-01 15:18 --------- d-------- C:\Program Files\IE7Pro
2007-09-01 14:24 --------- d-------- C:\Program Files\DirectVobSub
2007-09-01 14:23 --------- d-------- C:\Program Files\Axis Communications
2007-07-26 19:06 43528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2003-06-04 22:19 3952016 --a--c--- C:\Program Files\WD97VW32.EXE
2004-08-04 07:56:43 54,784 -csh--w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56:44 553,472 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56:55 11,776 -csh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 17:13]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-15 22:51]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 18:30]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-11 18:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mmm"="C:\Program Files\HACE\Mmm\Mmm.exe" [2007-05-16 14:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
WCAT.EXE [1999-12-17 19:22:04]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
WCAT.EXE [1999-12-17 19:22:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=01000000
"NoRecentDocsMenu"=01000000
"NoRecentDocsHistory"=1000000 (0xf4240)
"NoLogoff"=0 (0x0)
"NoSMBalloonTip"=0 (0x0)
"NoInstrumentation"=1 (0x1)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)


*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 15:45:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 15:48:17
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:34 PM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\HACE\Mmm\Mmm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WCAT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WCAT.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8082
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-1085806099-3993469562-2165517387-1003\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-1085806099-3993469562-2165517387-1003 Startup: WCAT.EXE (User '?')
O4 - Startup: WCAT.EXE
O4 - Global Startup: WCAT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4890 bytes

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 19 September 2007 - 05:53 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\E31C348B63A94CBF8D7FD932ABB63244.TMP
C:\WINDOWS\0E6AB9FC76C2431B9C066C1CFFFEA8EB.TMP


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.


Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\Program Files\WD97VW32.EXE
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\Program Files\WD97VW32.EXE
Then click on 'Send File'.
Post the results into your next reply.
Posted Image
Posted Image

#6 brc911

brc911
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 19 September 2007 - 09:26 PM

Scan taken on 20 Sep 2007 02:22:35 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File WD97VW32.EXE received on 09.20.2007 04:19:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.9.20.0 2007.09.19 -
AntiVir 7.6.0.15 2007.09.19 -
Authentium 4.93.8 2007.09.19 -
Avast 4.7.1043.0 2007.09.19 -
AVG 7.5.0.485 2007.09.19 -
BitDefender 7.2 2007.09.20 -
CAT-QuickHeal 9.00 2007.09.19 -
ClamAV 0.91.2 2007.09.20 -
DrWeb 4.33 2007.09.19 -
eSafe 7.0.15.0 2007.09.19 -
eTrust-Vet 31.2.5149 2007.09.19 -
Ewido 4.0 2007.09.19 -
FileAdvisor 1 2007.09.20 -
Fortinet 3.11.0.0 2007.09.19 -
F-Prot 4.3.2.48 2007.09.19 -
F-Secure 6.70.13030.0 2007.09.20 -
Ikarus T3.1.1.12 2007.09.20 -
Kaspersky 4.0.2.24 2007.09.20 -
McAfee 5123 2007.09.19 -
Microsoft 1.2803 2007.09.20 -
NOD32v2 2541 2007.09.20 -
Norman 5.80.02 2007.09.19 -
Panda 9.0.0.4 2007.09.20 -
Prevx1 V2 2007.09.20 -
Rising 19.41.20.00 2007.09.19 -
Sophos 4.21.0 2007.09.20 -
Sunbelt 2.2.907.0 2007.09.19 -
Symantec 10 2007.09.20 -
TheHacker 6.2.5.062 2007.09.19 -
VBA32 3.12.2.4 2007.09.19 -
VirusBuster 4.3.26:9 2007.09.19 -
Webwasher-Gateway 6.0.1 2007.09.19 -
Additional information
File size: 3952016 bytes
MD5: 5a4e73d930f94a87eda14f153934384e
SHA1: daeac2b621aa073251447514bf09952111dfc965

Edited by brc911, 19 September 2007 - 09:27 PM.


#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 20 September 2007 - 05:42 AM

Nothing suspicious there.
Post a new Hijackthis log please.
Let me know if you're experiencing any problems.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users