Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde And Others


  • This topic is locked This topic is locked
10 replies to this topic

#1 sytiff

sytiff

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 06 October 2007 - 08:03 AM

For months I've been experiencing sluggish speed and whenever I run a spybot, there are always tracking cookies, but usually something is entered into my registry as well. The last time it was virtumonde.general. Norton Antivirus never picks up on anything, but I know something is wrong. In each of the malware removers I did prior to the Hijack This log, there were bad items identified. Please help!

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:35 AM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\HDAudPropShortcut.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [POSTRBT] C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [POSTRBT] C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extraweb-americas.ey.com/home/extraweb/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7253 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 12 October 2007 - 06:20 PM

Hello sytiff,

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

If your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton Script blocking Service:

* Disable the Script Blocking Service:
To open Services, click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Services.
Find ScriptBlocking services, Right-click the service, and then click and then click Properties.
On the General tab, under Startup, click Disabled.
Under Service Status, click Stop button. Click Apply button.

* Disable the Script Blocking In Norton Settings:
Start Norton Antivirus.
Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck Enable Script Blocking (recommended).
Click OK
You can reenable it afterwards when everything is clean again.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 18 October 2007 - 12:14 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 22 October 2007 - 10:22 AM

topic reopened
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 sytiff

sytiff
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 22 October 2007 - 12:50 PM

Thanks! I have attached the combofix and the hijackthis files.

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 22 October 2007 - 12:52 PM

Hi Sytff,

Please do not attach the logs as they are too hard to read that way.
Post them to this thread. Thanks.

Edited by SifuMike, 22 October 2007 - 12:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 sytiff

sytiff
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 22 October 2007 - 01:10 PM

Sorry. See below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:07 AM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\HDAudPropShortcut.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [POSTRBT] C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [POSTRBT] C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extraweb-americas.ey.com/home/extraweb/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7475 bytes


ComboFix 07-10-18.6 - Tiffany 2007-10-18 15:32:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126 [GMT -4:00]
Running from: C:\Documents and Settings\Tiffany\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-18 15:30 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 17:10 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-05 13:39 <DIR> d-------- C:\Program Files\CityPoker
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-17 20:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-05 17:43 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-05 17:43 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-05 17:43 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-05 17:43 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-05 17:43 --------- d-----w C:\Program Files\Symantec
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 01:41 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\Snapfish
2007-09-05 01:11 --------- d-----w C:\Program Files\Vetronix
2007-08-25 12:53 --------- d-----w C:\Program Files\Java
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-23 16:05:17 1,380,723 --sha-w C:\WINDOWS\system32\oqtss.bak1
2007-04-28 18:02:45 1,371,765 --sh--w C:\WINDOWS\system32\oqtss.bak2
2007-04-28 18:11:09 1,375,307 --sh--w C:\WINDOWS\system32\oqtss.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 23:42]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 19:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 19:18]
"WUSB54Gv4"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 09:19]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-24 13:44]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 03:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 16:08]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 11:01]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"POSTRBT"=C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe"
S3 Intuit Fuse Service;Intuit Fuse Service;"C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe"
S3 jfdcd;jfdcd;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\jfdcd.sys
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-05-31 14:15:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-15 01:11:56 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Tiffany.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 15:34:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-18 15:36:18
.
--- E O F ---

Thanks!

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 22 October 2007 - 01:52 PM

Hi sytiff,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

These are optional fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )

C:\Program Files\QuickTime\qttask.exe
(Description: Apple's QuickTime Tray Icon which enables you to start QuickTime from the System Tray (from version 5 onward). Given the extremely simple functionality of this Tray icon, it is in our view an unreasonable resource hog - it has been measured to use as much as 1.5Mb of memory at times in earlier versions, and in version 7 it uses as much as 3.4Mb of memory on our test systems. Yet, on Windows PCs hardly anyone starts QuickTime manually, whether from the System Tray or otherwise - what usually happens is that the end-user opens a QuickTime movie file or email attachment and Windows then automatically opens QuickTime to enable the end-user to view the movie or video. There is therefore almost never a need for the end-user to start QuickTime manually from the System Tray.)

C:\Program Files\iTunes\iTunesHelper.exe
(Description: Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. This task does not actually need to be installed as a startup since iTunes starts it up anyway when it needs it. Let iTunes start it up whenever it needs to, particularly since it has a history of occasionally conflicting with other software and it uses nearly 6Mb of memory. )

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini2
C:\DOCUME~1\Owner\LOCALS~1\Temp\jfdcd.sys

Driver:: 
jfdcd

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 sytiff

sytiff
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 24 October 2007 - 10:52 AM

Ok - here we go

ComboFix 07-10-18.6 - Tiffany 2007-10-23 16:05:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.187 [GMT -4:00]
Running from: C:\Documents and Settings\Tiffany\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tiffany\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\DOCUME~1\Owner\LOCALS~1\Temp\jfdcd.sys
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_JFDCD
-------\jfdcd


((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-23 12:32 <DIR> d-------- C:\Program Files\CCleaner
2007-10-23 12:28 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-18 15:30 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 17:10 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-05 13:39 <DIR> d-------- C:\Program Files\CityPoker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-23 16:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-23 16:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-23 16:29 --------- d-----w C:\Program Files\Java
2007-10-05 17:43 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-05 17:43 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-05 17:43 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-05 17:43 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-05 17:43 --------- d-----w C:\Program Files\Symantec
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 01:41 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\Snapfish
2007-09-05 01:11 --------- d-----w C:\Program Files\Vetronix
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-18_15.34.56.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 14:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-07-12 05:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 05:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 06:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 23:42]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 19:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 19:18]
"WUSB54Gv4"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 09:19]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 03:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 16:08]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 11:01]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"POSTRBT"=C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe"
S3 Intuit Fuse Service;Intuit Fuse Service;"C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe"
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-05-31 14:15:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-15 01:11:56 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Tiffany.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 16:11:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 16:13:18 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-18 15:36
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:58 AM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\HDAudPropShortcut.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [POSTRBT] C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [POSTRBT] C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extraweb-americas.ey.com/home/extraweb/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7169 bytes


Thanks again!

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 24 October 2007 - 02:34 PM

Hi sytiff,

Your log looks clean! :thumbsup: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:05 AM

Posted 28 October 2007 - 02:49 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users