Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/ Mydoom/ Bho


  • Please log in to reply
41 replies to this topic

#1 Mark Dunn

Mark Dunn

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 07 October 2007 - 11:03 AM

I have popups, hijackers, fake DOS boxes, disabled task manager, unable to run msconfig and a wloe lot else.
I have run all the recommended programs.
The computer is all but unusable.
Thanks for any help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:59:49, on 07/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\system32\symchk.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\nusrmgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\PicasaXP\Picasa2\PicasaMediaDetector.exe
D:\Program Files\Canon\MultiPASS4\monitr32.exe
D:\WINDOWS\system32\fxredir.exe
D:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\BOINC\boincmgr.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\BOINC\boinc.exe
D:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_5.27_windows_intelx86.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=D:\WINDOWS\SYSTEM32\Userinit.exe,D:\WINDOWS\system32\symchk.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - D:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\PicasaXP\Picasa2\PicasaMediaDetector
O4 - HKLM\..\Run: [monitr32] D:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] D:\WINDOWS\system32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] D:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = D:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179583063242
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179918932593
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FCI - Unknown owner - D:\WINDOWS\system32\fci.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MpService - Canon Inc - D:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)

--
End of file - 6435 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2007 - 03:25 AM

Hi Mark and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  

Posted 08 October 2007 - 10:15 AM

Many thanks, most nasties have disappeared, I still have a yellow triangle and a red shield on the taskbar

Combofix:
ComboFix 07-10-07.2 - Mark 2007-10-08 16:03:26.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.262 [GMT 1:00]
Running from: D:\Documents and Settings\Mark.MARK-XP\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\All Users.WINDOWS.\documents\settings
D:\Documents and Settings\All Users.WINDOWS.\documents\settings\desktop.ini
D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
D:\Documents and Settings\Mark.MARK-XP\Application Data\install.dat
D:\Documents and Settings\Mark.MARK-XP\Application Data\install.dat
D:\Documents and Settings\Mark.MARK-XP\Application Data\Microsoft\20509.dat
D:\Program Files\3721
D:\Program Files\3721\assist\asbar.dll
D:\Program Files\3721\helper.dll
D:\Program Files\Accoona
D:\Program Files\Accoona\ASearchAssist.dll
D:\Program Files\akl
D:\Program Files\akl\akl.dll
D:\Program Files\akl\akl.exe
D:\Program Files\akl\curlog.htm
D:\Program Files\akl\keylog.txt
D:\Program Files\akl\readme.txt
D:\Program Files\akl\uninstall.exe
D:\Program Files\akl\unsetup.dat
D:\Program Files\akl\unsetup.exe
D:\Program Files\amsys
D:\Program Files\amsys\awmsg.dat
D:\Program Files\amsys\guid.dat
D:\Program Files\amsys\ijl15.dll
D:\Program Files\amsys\mfc42.dll
D:\Program Files\amsys\msvcrt.dll
D:\Program Files\amsys\unins000.dat
D:\Program Files\amsys\unis000.exe
D:\Program Files\amsys\winam.dat
D:\Program Files\e-zshopper
D:\Program Files\e-zshopper\BarLcher.dll
D:\Program Files\p2pnetworks
D:\Program Files\p2pnetworks\amp2pl.exe
D:\WINDOWS\764.exe
D:\WINDOWS\7search.dll
D:\WINDOWS\aconti.exe
D:\WINDOWS\adbar.dll
D:\WINDOWS\cbinst$.exe
D:\WINDOWS\daxtime.dll
D:\WINDOWS\dp0.dll
D:\WINDOWS\eventlowg.dll
D:\WINDOWS\fhfmm-Uninstaller.exe
D:\WINDOWS\fhfmm.exe
D:\WINDOWS\flt.dll
D:\WINDOWS\hcwprn.exe
D:\WINDOWS\hotporn.exe
D:\WINDOWS\ie_32.exe
D:\WINDOWS\iexplorr23.dll
D:\WINDOWS\jd2002.dll
D:\WINDOWS\kkcomp$.exe
D:\WINDOWS\kkcomp.dll
D:\WINDOWS\kkcomp.exe
D:\WINDOWS\kvnab$.exe
D:\WINDOWS\kvnab.dll
D:\WINDOWS\kvnab.exe
D:\WINDOWS\liqad$.exe
D:\WINDOWS\liqad.dll
D:\WINDOWS\liqad.exe
D:\WINDOWS\liqui-Uninstaller.exe
D:\WINDOWS\liqui.dll
D:\WINDOWS\liqui.exe
D:\WINDOWS\ngd.dll
D:\WINDOWS\pbar.dll
D:\WINDOWS\pbsysie.dll
D:\WINDOWS\settn.dll
D:\WINDOWS\spredirect.dll
D:\WINDOWS\system32\drivers\bg_bg.gif
D:\WINDOWS\system32\drivers\blank.gif
D:\WINDOWS\system32\drivers\box_1.gif
D:\WINDOWS\system32\drivers\box_2.gif
D:\WINDOWS\system32\drivers\box_3.gif
D:\WINDOWS\system32\drivers\button_buynow.gif
D:\WINDOWS\system32\drivers\button_freescan.gif
D:\WINDOWS\system32\drivers\cell_bg.gif
D:\WINDOWS\system32\drivers\cell_footer.gif
D:\WINDOWS\system32\drivers\cell_header_block.gif
D:\WINDOWS\system32\drivers\cell_header_remove.gif
D:\WINDOWS\system32\drivers\cell_header_scan.gif
D:\WINDOWS\system32\drivers\close_ico.gif
D:\WINDOWS\system32\drivers\detect.htm
D:\WINDOWS\system32\drivers\download_box.gif
D:\WINDOWS\system32\drivers\download_btn.jpg
D:\WINDOWS\system32\drivers\download_now_btn.gif
D:\WINDOWS\system32\drivers\footer_back.jpg
D:\WINDOWS\system32\drivers\header_1.gif
D:\WINDOWS\system32\drivers\header_2.gif
D:\WINDOWS\system32\drivers\header_3.gif
D:\WINDOWS\system32\drivers\header_4.gif
D:\WINDOWS\system32\drivers\header_red_bg.gif
D:\WINDOWS\system32\drivers\header_red_free_scan.gif
D:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
D:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
D:\WINDOWS\system32\drivers\icon_warning_big.gif
D:\WINDOWS\system32\drivers\infected.gif
D:\WINDOWS\system32\drivers\main_back.gif
D:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
D:\WINDOWS\system32\drivers\product_1_header.gif
D:\WINDOWS\system32\drivers\product_1_name_small.gif
D:\WINDOWS\system32\drivers\product_2_header.gif
D:\WINDOWS\system32\drivers\product_2_name_small.gif
D:\WINDOWS\system32\drivers\product_3_header.gif
D:\WINDOWS\system32\drivers\product_3_name_small.gif
D:\WINDOWS\system32\drivers\product_features.gif
D:\WINDOWS\system32\drivers\protect.sys
D:\WINDOWS\system32\drivers\pt.htm
D:\WINDOWS\system32\drivers\rating.gif
D:\WINDOWS\system32\drivers\remove_spyware_header.gif
D:\WINDOWS\system32\drivers\s_detect.htm
D:\WINDOWS\system32\drivers\screenshot.jpg
D:\WINDOWS\system32\drivers\sep_hor.gif
D:\WINDOWS\system32\drivers\sep_vert.gif
D:\WINDOWS\system32\drivers\shadow.jpg
D:\WINDOWS\system32\drivers\shadow_bg.gif
D:\WINDOWS\system32\drivers\spacer.gif
D:\WINDOWS\system32\drivers\spy_away_box.jpg
D:\WINDOWS\system32\drivers\spyware_detected.gif
D:\WINDOWS\system32\drivers\star.gif
D:\WINDOWS\system32\drivers\star_gray.gif
D:\WINDOWS\system32\drivers\star_gray_small.gif
D:\WINDOWS\system32\drivers\star_small.gif
D:\WINDOWS\system32\drivers\style.css
D:\WINDOWS\system32\drivers\v.gif
D:\WINDOWS\system32\drivers\warning_ico.gif
D:\WINDOWS\system32\drivers\warning_icon.gif
D:\WINDOWS\system32\drivers\win_logo.gif
D:\WINDOWS\system32\drivers\x.gif
D:\WINDOWS\system32\drivers\yellow_warning_ico.gif
D:\WINDOWS\system32\ESHOPEE.exe
D:\WINDOWS\system32\gtv_sd.bin
D:\WINDOWS\system32\msole32.exe
D:\WINDOWS\system32\nusrmgr.exe
D:\WINDOWS\system32\oembios32.dll
D:\WINDOWS\system32\vxddsk.exe
D:\WINDOWS\system32\wml.exe
D:\WINDOWS\vxddsk.exe
D:\WINDOWS\wbeCheck.exe
D:\WINDOWS\wbeInst$.exe
D:\WINDOWS\winh32.exe
D:\WINDOWS\wml.exe
D:\WINDOWS\xadbrk.dll
D:\WINDOWS\xadbrk.exe
D:\WINDOWS\xadbrk_.exe
D:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FCI
-------\LEGACY_ICF
-------\LEGACY_PROTECT
-------\LEGACY_SYMAVC32
-------\LEGACY_SYSLIBRARY
-------\FCI
-------\ICF
-------\protect


((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 15:39 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-10-07 16:59 <DIR> d-------- D:\Program Files\Trend Micro
2007-10-07 16:46 4,212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2007-10-07 15:43 <DIR> d-------- D:\WINDOWS\Internet Logs
2007-10-07 15:36 17,920 --a------ D:\WINDOWS\system32\ace16win.dll
2007-10-07 11:21 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2007-10-07 11:17 <DIR> d-------- D:\Program Files\BitDefender
2007-10-07 01:16 <DIR> d--hs---- D:\FOUND.000
2007-10-06 18:03 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\Lavasoft
2007-10-06 17:28 <DIR> d-------- D:\WINDOWS\pchealth
2007-10-06 15:18 4 --a------ D:\WINDOWS\system32\stfv.bin
2007-10-06 15:18 <DIR> d-------- D:\WINDOWS\system32\acespy
2007-10-06 11:46 46,080 --a------ D:\WINDOWS\system32\symchk.exe
2007-09-25 17:45 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Contacts
2007-09-25 17:44 <DIR> d-------- D:\WINDOWS\system32\DRVSTORE
2007-09-21 18:45 1,744 --a------ D:\WINDOWS\system32\d3d9caps.dat
2007-09-21 18:45 1,632 --a------ D:\WINDOWS\system32\d3d8caps.dat
2007-09-20 17:12 3,497,832 --a------ D:\WINDOWS\system32\d3dx9_34.dll
2007-09-20 17:12 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll
2007-09-20 16:47 909,312 --a------ D:\WINDOWS\system32\QD3D.dll
2007-09-20 16:47 70,656 --a------ D:\WINDOWS\system32\3DViewer.dll
2007-09-20 16:47 553,984 --a------ D:\WINDOWS\system32\Rave.dll
2007-09-20 16:46 <DIR> d-------- D:\Program Files\DesignWorkshop Lite
2007-09-20 16:43 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\uk.co.planetside
2007-09-20 16:42 <DIR> d-------- D:\Program Files\Terragen
2007-09-15 12:19 <DIR> d-------- D:\Program Files\USB Missile Launcher
2007-09-15 11:52 31,616 --a------ D:\WINDOWS\system32\drivers\usbccgp.sys
2007-09-15 11:52 31,616 --a------ D:\WINDOWS\system32\dllcache\usbccgp.sys
2007-09-13 17:36 129,784 --------- D:\WINDOWS\system32\pxafs.dll
2007-09-13 17:36 120,056 --------- D:\WINDOWS\system32\pxcpyi64.exe
2007-09-13 17:36 118,520 --------- D:\WINDOWS\system32\pxinsi64.exe
2007-09-13 16:08 <DIR> d-------- D:\WINDOWS\system32\LogFiles
2007-09-11 19:14 <DIR> d-------- D:\Program Files\BillP Studios
2007-09-11 19:14 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\WinPatrol
2007-09-08 13:29 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\Uniblue
2007-09-08 12:44 <DIR> d-------- D:\BJPrinter
2007-09-08 12:42 81,920 --------- D:\WINDOWS\system32\mptrans.dll
2007-09-08 12:42 69,632 --------- D:\WINDOWS\system32\mpsutil.dll
2007-09-08 12:42 49,152 --------- D:\WINDOWS\system32\MPSRVC.DLL
2007-09-08 12:42 48,408 --------- D:\WINDOWS\system32\drivers\cis1284.sys
2007-09-08 12:42 <DIR> d-------- D:\Program Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 10:52 81984 --a------ D:\WINDOWS\system32\bdod.bin
2007-09-06 16:14 1086952 --a------ D:\WINDOWS\system32\zpeng24.dll
2007-09-05 18:42 --------- d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\SUPERAntiSpyware.com
2007-09-05 18:42 --------- d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2007-09-05 17:23 --------- d-------- D:\Program Files\MagicISO
2007-08-21 01:26 81920 --a------ D:\WINDOWS\system32\dpl100.dll
2007-08-21 01:26 196608 --a------ D:\WINDOWS\system32\dtu100.dll
2007-08-15 23:33 524288 --a------ D:\WINDOWS\system32\DivXsm.exe
2007-08-15 23:33 43528 --------- D:\WINDOWS\system32\drivers\pxhelp20.sys
2007-08-15 23:33 3596288 --a------ D:\WINDOWS\system32\qt-dx331.dll
2007-08-15 23:33 200704 --a------ D:\WINDOWS\system32\ssldivx.dll
2007-08-15 23:33 144704 --a------ D:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-15 23:33 1044480 --a------ D:\WINDOWS\system32\libdivx.dll
2007-08-15 23:31 593920 --a------ D:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 23:31 57344 --a------ D:\WINDOWS\system32\dpv11.dll
2007-08-15 23:31 53248 --a------ D:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 23:31 344064 --a------ D:\WINDOWS\system32\dpus11.dll
2007-08-15 23:31 294912 --a------ D:\WINDOWS\system32\dpu11.dll
2007-08-15 23:31 294912 --a------ D:\WINDOWS\system32\dpu10.dll
2007-08-15 23:30 823296 --a------ D:\WINDOWS\system32\divx_xx0c.dll
2007-08-15 23:30 823296 --a------ D:\WINDOWS\system32\divx_xx07.dll
2007-08-15 23:30 802816 --a------ D:\WINDOWS\system32\divx_xx11.dll
2007-08-15 23:30 740442 --a------ D:\WINDOWS\system32\DivX.dll
2007-08-15 23:30 12288 --a------ D:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-13 22:16 --------- d-------- D:\Program Files\RegScrubXP
2007-08-13 21:43 --------- d-------- D:\Program Files\Scorpio Software
2007-08-13 21:43 --------- d-------- D:\Program Files\Common Files\scosoft.com
2007-08-13 13:14 --------- d-------- D:\Program Files\FLV Player
2007-08-12 12:04 --------- d-------- D:\Program Files\Common Files\xing shared
2007-08-12 12:03 --------- d-------- D:\Program Files\Common Files\Real
2007-08-12 12:02 --------- d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\Real
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="D:\Program Files\PicasaXP\Picasa2\PicasaMediaDetector" []
"monitr32"="D:\Program Files\Canon\MultiPASS4\monitr32.exe" [2001-12-12 10:10]
"fxredir"="D:\WINDOWS\system32\fxredir.exe" [2001-12-12 10:10]
"MPTBox"="D:\PROGRA~1\Canon\MULTIP~1\mptbox.exe" [2001-12-12 10:10]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-11 10:21]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

D:\Documents and Settings\mark\Start Menu\Programs\Startup\
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

D:\Documents and Settings\Mark.MARK-XP\Start Menu\Programs\Startup\
BOINC Manager.lnk - D:\Program Files\BOINC\boincmgr.exe [2007-03-01 11:19:50]
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
"D:\Program Files\Softwin\BitDefender10\bdagent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
D:\WINDOWS\system32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
D:\Documents and Settings\Mark.MARK-XP\Application Data\Microsoft\Windows\duuorn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoloSchedule]
D:\SRNMIC~1\SOLOCFG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoloSentry]
D:\SRNMIC~1\SOLOSENT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoloSysCheck]
D:\SRNMIC~1\SYSCHECK.COM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
D:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
D:\Documents and Settings\Mark.MARK-XP\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

R2 cis1284;cis1284;\??\D:\WINDOWS\system32\drivers\cis1284.sys
S3 s3legacy;s3legacy;D:\WINDOWS\system32\DRIVERS\s3legacy.sys
S4 tbhsd;Tunebite High-Speed Dubbing;D:\WINDOWS\system32\drivers\tbhsd.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 15:59:42 D:\WINDOWS\Tasks\At8.job"
- D:\WINDOWS\system32\oS427A40.exe
"2007-08-06 16:17:10 D:\WINDOWS\Tasks\At9.job"
- D:\WINDOWS\system32\oS427A40.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 16:09:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 16:12:03 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2007-10-08 16:11
.
--- E O F ---
Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:14:18, on 08/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\PicasaXP\Picasa2\PicasaMediaDetector.exe
D:\Program Files\Canon\MultiPASS4\monitr32.exe
D:\WINDOWS\system32\fxredir.exe
D:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\BOINC\boincmgr.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\BOINC\boinc.exe
D:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_5.27_windows_intelx86.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\PicasaXP\Picasa2\PicasaMediaDetector
O4 - HKLM\..\Run: [monitr32] D:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] D:\WINDOWS\system32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] D:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = D:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179583063242
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179918932593
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MpService - Canon Inc - D:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)

--
End of file - 5977 bytes

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2007 - 01:57 PM

Lets see how many of these we can get in a single pass,some may be stubborn

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)

O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)

O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)

O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)

O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)

O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)

O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)

O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)

O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)

O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)

O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)

O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)

O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)

O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)

O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)

O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)

O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)

O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)

O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)

O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)

O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O24 - Desktop Component 0: (no name) - (no file)

O24 - Desktop Component 1: (no name) - (no file)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Restart the PC in Safe Mode and Run HijackThis again,check for any leftovers from the list above and have HijackThis fix any that are remaining.


Restart normal and lets run another fix over the machine to check for leftovers and repair any registry settings that may have been tampered with.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#5 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 08 October 2007 - 02:32 PM

The following items are still there
O24 - Desktop Component 0: (no name) - (no file)

O24 - Desktop Component 1: (no name) - (no file)

All others gone, thankyou!

and here is the log:


SmitFraudFix v2.239

Scan done at 20:29:58.99, 08/10/2007
Run from D:\Documents and Settings\Mark.MARK-XP\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

Process

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\PicasaXP\Picasa2\PicasaMediaDetector.exe
D:\Program Files\Canon\MultiPASS4\monitr32.exe
D:\WINDOWS\system32\fxredir.exe
D:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\BOINC\boincmgr.exe
D:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\BOINC\boinc.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\cmd.exe

hosts


D:\


D:\WINDOWS

D:\WINDOWS\Tasks\At?.job FOUND !
D:\WINDOWS\Tasks\At??.job FOUND !

D:\WINDOWS\system


D:\WINDOWS\Web


D:\WINDOWS\system32

D:\WINDOWS\system32\ace16win.dll FOUND !

D:\WINDOWS\system32\LogFiles


D:\Documents and Settings\Mark.MARK-XP


D:\Documents and Settings\Mark.MARK-XP\Application Data


Start Menu


D:\DOCUME~1\MARK~1.MAR\FAVORI~1


Desktop


D:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=""
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"=""
"SubscribedURL"=""
"FriendlyName"=""

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{345567E4-A816-4C05-B2F6-E8E6994114AF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{345567E4-A816-4C05-B2F6-E8E6994114AF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{345567E4-A816-4C05-B2F6-E8E6994114AF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Scanning for wininet.dll infection


End

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2007 - 02:51 PM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


Hopefully this will rectify the desktop and the annoying triangle thingy if its still there.

After you post the next results,please go ahead and scan one more time with ComboFix and post that log as well,then we can see whats left about to clean up. :thumbsup:

#7 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  

Posted 08 October 2007 - 03:56 PM

SmitFraudFix v2.239

Scan done at 21:45:13.69, 08/10/2007
Run from D:\Documents and Settings\Mark.MARK-XP\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{345567E4-A816-4C05-B2F6-E8E6994114AF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{345567E4-A816-4C05-B2F6-E8E6994114AF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{345567E4-A816-4C05-B2F6-E8E6994114AF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

and

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:54:39, on 08/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\PicasaXP\Picasa2\PicasaMediaDetector.exe
D:\Program Files\Canon\MultiPASS4\monitr32.exe
D:\WINDOWS\system32\fxredir.exe
D:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\BOINC\boincmgr.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\BOINC\boinc.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\PicasaXP\Picasa2\PicasaMediaDetector
O4 - HKLM\..\Run: [monitr32] D:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] D:\WINDOWS\system32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] D:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BOINC Manager.lnk = D:\Program Files\BOINC\boincmgr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179583063242
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179918932593
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MpService - Canon Inc - D:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 3619 bytes

The triangle and desktop hijack disappeared before the last scan- forgot to say- sorry! It looks quite clear now.

#8 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 08 October 2007 - 04:06 PM

Combofix log

ComboFix 07-10-07.2 - Mark 2007-10-08 21:57:57.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.338 [GMT 1:00]
Running from: D:\Documents and Settings\Mark.MARK-XP\Desktop\misc\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 21:57 53,248 --a------ D:\WINDOWS\system32\Process.exe
2007-10-08 21:57 51,200 --a------ D:\WINDOWS\system32\dumphive.exe
2007-10-08 21:57 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe
2007-10-08 21:57 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe
2007-10-08 21:57 25,600 --a------ D:\WINDOWS\system32\WS2Fix.exe
2007-10-08 20:30 878 --a------ D:\WINDOWS\system32\tmp.reg
2007-10-08 19:16 <DIR> d-------- D:\Program Files\BOINC
2007-10-08 17:58 99,840 --a------ D:\WINDOWS\system32\dllcache\helphost.exe
2007-10-08 17:58 6,656 --a------ D:\WINDOWS\system32\dllcache\hcappres.dll
2007-10-08 17:58 35,328 --a------ D:\WINDOWS\system32\dllcache\notiflag.exe
2007-10-08 17:58 21,504 --a------ D:\WINDOWS\system32\dllcache\brpinfo.dll
2007-10-08 17:45 <DIR> d--hs---- D:\FOUND.001
2007-10-08 15:39 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-10-07 16:59 <DIR> d-------- D:\Program Files\Trend Micro
2007-10-07 16:46 4,212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2007-10-07 15:43 <DIR> d-------- D:\WINDOWS\Internet Logs
2007-10-07 11:21 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2007-10-07 11:17 <DIR> d-------- D:\Program Files\BitDefender
2007-10-07 01:16 <DIR> d--hs---- D:\FOUND.000
2007-10-06 18:03 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\Lavasoft
2007-10-06 17:28 <DIR> d-------- D:\WINDOWS\pchealth
2007-10-06 15:18 4 --a------ D:\WINDOWS\system32\stfv.bin
2007-10-06 15:18 <DIR> d-------- D:\WINDOWS\system32\acespy
2007-10-06 11:46 46,080 --a------ D:\WINDOWS\system32\symchk.exe
2007-09-25 17:45 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Contacts
2007-09-25 17:44 <DIR> d-------- D:\WINDOWS\system32\DRVSTORE
2007-09-21 18:45 1,744 --a------ D:\WINDOWS\system32\d3d9caps.dat
2007-09-21 18:45 1,632 --a------ D:\WINDOWS\system32\d3d8caps.dat
2007-09-20 17:12 3,497,832 --a------ D:\WINDOWS\system32\d3dx9_34.dll
2007-09-20 17:12 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll
2007-09-20 16:47 909,312 --a------ D:\WINDOWS\system32\QD3D.dll
2007-09-20 16:47 70,656 --a------ D:\WINDOWS\system32\3DViewer.dll
2007-09-20 16:47 553,984 --a------ D:\WINDOWS\system32\Rave.dll
2007-09-20 16:46 <DIR> d-------- D:\Program Files\DesignWorkshop Lite
2007-09-20 16:43 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\uk.co.planetside
2007-09-20 16:42 <DIR> d-------- D:\Program Files\Terragen
2007-09-15 12:19 <DIR> d-------- D:\Program Files\USB Missile Launcher
2007-09-15 11:52 31,616 --a------ D:\WINDOWS\system32\drivers\usbccgp.sys
2007-09-15 11:52 31,616 --a------ D:\WINDOWS\system32\dllcache\usbccgp.sys
2007-09-13 17:36 129,784 --------- D:\WINDOWS\system32\pxafs.dll
2007-09-13 17:36 120,056 --------- D:\WINDOWS\system32\pxcpyi64.exe
2007-09-13 17:36 118,520 --------- D:\WINDOWS\system32\pxinsi64.exe
2007-09-13 16:08 <DIR> d-------- D:\WINDOWS\system32\LogFiles
2007-09-11 19:14 <DIR> d-------- D:\Program Files\BillP Studios
2007-09-11 19:14 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\WinPatrol
2007-09-08 13:29 <DIR> d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\Uniblue
2007-09-08 12:44 <DIR> d-------- D:\BJPrinter
2007-09-08 12:42 81,920 --------- D:\WINDOWS\system32\mptrans.dll
2007-09-08 12:42 69,632 --------- D:\WINDOWS\system32\mpsutil.dll
2007-09-08 12:42 49,152 --------- D:\WINDOWS\system32\MPSRVC.DLL
2007-09-08 12:42 48,408 --------- D:\WINDOWS\system32\drivers\cis1284.sys
2007-09-08 12:42 <DIR> d-------- D:\Program Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 10:52 81984 --a------ D:\WINDOWS\system32\bdod.bin
2007-09-06 16:14 1086952 --a------ D:\WINDOWS\system32\zpeng24.dll
2007-09-05 18:42 --------- d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\SUPERAntiSpyware.com
2007-09-05 18:42 --------- d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2007-09-05 17:23 --------- d-------- D:\Program Files\MagicISO
2007-08-23 17:47 696320 --a------ D:\WINDOWS\boinc.scr
2007-08-21 01:26 81920 --a------ D:\WINDOWS\system32\dpl100.dll
2007-08-21 01:26 196608 --a------ D:\WINDOWS\system32\dtu100.dll
2007-08-15 23:33 524288 --a------ D:\WINDOWS\system32\DivXsm.exe
2007-08-15 23:33 43528 --------- D:\WINDOWS\system32\drivers\pxhelp20.sys
2007-08-15 23:33 3596288 --a------ D:\WINDOWS\system32\qt-dx331.dll
2007-08-15 23:33 200704 --a------ D:\WINDOWS\system32\ssldivx.dll
2007-08-15 23:33 144704 --a------ D:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-15 23:33 1044480 --a------ D:\WINDOWS\system32\libdivx.dll
2007-08-15 23:31 593920 --a------ D:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 23:31 57344 --a------ D:\WINDOWS\system32\dpv11.dll
2007-08-15 23:31 53248 --a------ D:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 23:31 344064 --a------ D:\WINDOWS\system32\dpus11.dll
2007-08-15 23:31 294912 --a------ D:\WINDOWS\system32\dpu11.dll
2007-08-15 23:31 294912 --a------ D:\WINDOWS\system32\dpu10.dll
2007-08-15 23:30 823296 --a------ D:\WINDOWS\system32\divx_xx0c.dll
2007-08-15 23:30 823296 --a------ D:\WINDOWS\system32\divx_xx07.dll
2007-08-15 23:30 802816 --a------ D:\WINDOWS\system32\divx_xx11.dll
2007-08-15 23:30 740442 --a------ D:\WINDOWS\system32\DivX.dll
2007-08-15 23:30 12288 --a------ D:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-13 22:16 --------- d-------- D:\Program Files\RegScrubXP
2007-08-13 21:43 --------- d-------- D:\Program Files\Scorpio Software
2007-08-13 21:43 --------- d-------- D:\Program Files\Common Files\scosoft.com
2007-08-13 13:14 --------- d-------- D:\Program Files\FLV Player
2007-08-12 12:04 --------- d-------- D:\Program Files\Common Files\xing shared
2007-08-12 12:03 --------- d-------- D:\Program Files\Common Files\Real
2007-08-12 12:02 --------- d-------- D:\Documents and Settings\Mark.MARK-XP\Application Data\Real
.

((((((((((((((((((((((((((((( snapshot@2007-10-08_16.11.04.79 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,960 2006-01-09 09:36:06 D:\WINDOWS\system32\swsc.exe
----a-w 79,360 2006-12-01 05:20:34 D:\WINDOWS\system32\swxcacls.exe
----a-w 163,328 2007-03-13 09:57:12 D:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
----a-w 21,504 2001-08-18 12:00:00 D:\WINDOWS\pchealth\helpctr\binaries\brpinfo.dll
----a-w 6,656 2001-08-18 12:00:00 D:\WINDOWS\pchealth\helpctr\binaries\HCAppRes.dll
----a-w 99,840 2001-08-18 12:00:00 D:\WINDOWS\pchealth\helpctr\binaries\HelpHost.exe
----a-w 35,328 2001-08-18 12:00:00 D:\WINDOWS\pchealth\helpctr\binaries\notiflag.exe
----a-w 743,936 2004-08-03 23:56:52 D:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
----a-w 18,944 2004-08-03 23:56:52 D:\WINDOWS\pchealth\helpctr\binaries\hscupd.exe
----a-w 376,320 2004-08-03 23:56:44 D:\WINDOWS\pchealth\helpctr\binaries\msinfo.dll
----a-w 768,512 2004-08-03 23:56:50 D:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
----a-w 158,208 2004-08-03 23:56:54 D:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
----a-w 102,400 2004-08-03 23:56:46 D:\WINDOWS\pchealth\helpctr\binaries\pchshell.dll
----a-w 38,912 2004-08-03 23:56:46 D:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll
----a-w 73,051 2003-04-22 09:55:36 D:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
----a-w 8,738 2002-09-28 18:57:38 D:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
----a-w 150,528 2004-08-03 23:56:58 D:\WINDOWS\pchealth\uploadlb\binaries\uploadm.exe
.
----a-w 212,480 2006-12-01 04:20:32 D:\WINDOWS\system32\swxcacls.exe
----a-w 370,688 2006-11-29 16:21:30 D:\WINDOWS\system32\swsc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="D:\Program Files\PicasaXP\Picasa2\PicasaMediaDetector" []
"monitr32"="D:\Program Files\Canon\MultiPASS4\monitr32.exe" [2001-12-12 10:10]
"fxredir"="D:\WINDOWS\system32\fxredir.exe" [2001-12-12 10:10]
"MPTBox"="D:\PROGRA~1\Canon\MULTIP~1\mptbox.exe" [2001-12-12 10:10]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-11 10:21]

D:\Documents and Settings\mark\Start Menu\Programs\Startup\
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

D:\Documents and Settings\Mark.MARK-XP\Start Menu\Programs\Startup\
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
BOINC Manager.lnk - D:\Program Files\BOINC\boincmgr.exe [2007-08-23 17:53:46]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
"D:\Program Files\Softwin\BitDefender10\bdagent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
D:\WINDOWS\system32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
D:\Documents and Settings\Mark.MARK-XP\Application Data\Microsoft\Windows\duuorn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoloSchedule]
D:\SRNMIC~1\SOLOCFG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoloSentry]
D:\SRNMIC~1\SOLOSENT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoloSysCheck]
D:\SRNMIC~1\SYSCHECK.COM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
D:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
D:\Documents and Settings\Mark.MARK-XP\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

R2 cis1284;cis1284;\??\D:\WINDOWS\system32\drivers\cis1284.sys
S3 s3legacy;s3legacy;D:\WINDOWS\system32\DRIVERS\s3legacy.sys
S4 tbhsd;Tunebite High-Speed Dubbing;D:\WINDOWS\system32\drivers\tbhsd.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 22:00:38
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 22:02:12
D:\ComboFix-quarantined-files.txt ... 2007-10-08 22:02
D:\ComboFix2.txt ... 2007-10-08 16:12
.
--- E O F ---

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2007 - 05:14 PM

Allrighty,see if any of these folders exist and delete them if found.

D:\WINDOWS\system32\acespy

D:\Documents and Settings\Mark.MARK-XP\Application Data\WinTouch

D:\Program Files\WinPop


I cant gurantee you this scanner will agree with your machine if we dont clean out the Temps and reboot before running it,I use one of 2 cleaners because im lazy :thumbsup:

CCleaner is one I have allways liked but I use only the Cleaner part and none of the other parts that come with it,simple download,install,run cleaner....done.
http://www.ccleaner.com/download/


Once the temps are cleared out,reboot the machine and Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Dont fight it if it doesnt want to run,this is one picky scanner and there are others we can use if needed.

#10 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  

Posted 09 October 2007 - 06:51 AM

Here it is

Scanning Report
Tuesday, October 09, 2007 10:27:04 - 12:50:02
Computer name: MARK-XP
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 5 malware found
BargainBuddy (spyware)
System (Disinfected)
Email-Worm.Win32.Mydoom.bj (virus)
D:\WINDOWS\SYSTEM32\SYMCHK.EXE (Renamed & Submitted)
Tracking Cookie (spyware)
System (Disinfected)
Trojan-Downloader.Win32.VB.bkb (virus)
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20071006-152917-383.DLL (Renamed & Submitted)
Win32.Spyware.Acoona (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 48374
System: 10238
Not scanned: 3
Actions:
Disinfected: 3
Renamed: 2
Deleted: 0
None: 0
Submitted: 2
Files not scanned:
D:\PAGEFILE.SYS
D:\WINDOWS\SYSTEM32\CONFIG\SECURITY
D:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-07
F-Secure AVP: 7.0.171, 2007-10-09
F-Secure Orion: 1.2.37, 2007-10-09
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-09-17
F-Secure Pegasus: 1.19.0, 2007-09-03
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 October 2007 - 04:06 PM

Nice,I had wondered about the one file it flagged.

Locate and Delete--> D:\WINDOWS\SYSTEM32\SYMCHK.EXE--> Renamed as such probably

D:\WINDOWS\SYSTEM32\SYMCHK.0XE


One other opinion please, use the Eset Online Scanner.
http://www.eset.com/onlinescan/index.php
Accept the terms of use and click the Start button,When prompted to install an ActiveX Control, click the yellow notification bar and select Install ActiveX Control..
Click the Install button on the Security Warning window which appears.

Once the ActiveX installs click the Start button to download the signature database when prompted.

On the "Computer Scan" options window select Remove found threats but leave Scan unwanted applications unchecked, then hit the Scan button.

A log file of the results can be found at C:/Program Files/EsetOnlineScanner/log.txt
Post the results in your next reply please.

Edited by Cretemonster, 09 October 2007 - 04:06 PM.


#12 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 10 October 2007 - 08:09 AM

The scanner stalled the first time after deleting an item i didn't make a note of, so I rebooted and ran it again.
Here is the log
version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2582 (20071009)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d11b581e05d7e84b894ec48f7b008e1b
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2007-10-10 01:01:30
# local_time=2007-10-10 02:01:30 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=297513
# found=3
# scan_time=6028
D:\qoobox\Quarantine\D\WINDOWS\winh32.exe.vir Win32/VB.AZO trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\qoobox\Quarantine\D\WINDOWS\system32\nusrmgr.exe.vir Win32/Hoax.Renos.NDK application (unable to clean - deleted) 00000000000000000000000000000000
D:\qoobox\Quarantine\D\WINDOWS\system32\drivers\protect.sys.vir Win32/SpamTool.Agent.NAJ trojan (unable to clean - deleted) 00000000000000000000000000000000

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 October 2007 - 03:47 PM

Delete please--> D:\qoobox

Please make sure that any old versions of Java are uninstalled,go to add/remove programs and remove any instances of java with versions earlier than 1.6.3

Java Runtime Environment (JRE) 6 Update 3 is the latest version and can be found at the link below if its not allready installed.
http://java.sun.com/javase/downloads/index.jsp

Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.

Once all is clear and a fresh boot has occured,post back and let me know how the computer is running.

#14 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 12 October 2007 - 11:37 AM

I don't have a 'system restore' tab.
Running OK, i have an occasional irrecoverable freeze, however, and the boot time is 15-20 sec longer than it used to be. Also, a number of programs, mostly windows updates, and my Canon printer software, have disappeared from the 'add/remove programs' list. So, when the printer stopped working, I couldn't ununstall it and had to just delete the folder. Now it will not reinstall. 'Multipass setup has found a device on a parallel port, and the connected port is assigned to the other Multipass device' (there isn't one).
Should I post this problem in a different forum?
Thanks again

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2007 - 12:08 PM

Hmmmm....delete the copy of ComboFix you have and use the original links I posted and download a fresh copy please.

Run ComboFix,when its finished,post that log please.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users