Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have A Suspicious File I Can't Delete And I Also Used To Have Backdoor.justfun


  • Please log in to reply
8 replies to this topic

#1 radioactivelaxative

radioactivelaxative

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 30 October 2007 - 12:54 AM

Hi All,
I was referred here by DASOS (from the thread:http://www.bleepingcomputer.com/forums/topic112564.html) and basically I have two things I want to check out.
1) I've been told the backdoor.justfun has compromised the security of my computer forever, but I just want to make sure its relatively safe at the moment as reinstalling the OS (windows XP) would be a real hassle.
2) I have just recently been infected by jpg.scr through msn, and I think I have dealt with the trojan, but can't seem to delete it. Its called 62D4F8F5DDAC.exe and it only started sporadically popping up in taskmanager after I got infected hogging resources... however I managed to locate it and its dll file of the same name in the C: windows \ debug folder. However I couldn't see both files, and I only managed to make the dll file appear, by trying to delete the entire debug folder, and only managed to delete this dll file in safe mode. The 62D4... .exe doesn't appear in the taskmanager anymore, yet it still exists hiding in the debug folder... so its still a worry (I tried deleting through cmd and safemode, but it didn't work). Another file that also worries me is passwd.log that is only 0kb and I can see, but I can't delete it no matter what either.
(see the thread for more details)

Thankyou,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:55 PM, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iPrimus
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [Glide] C:\Glide\glidew32.exe
O4 - HKLM\..\Run: [CirqueGesture] C:\Glide\gesture.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141808885619
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 3937 bytes

BC AdBot (Login to Remove)

 


#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:39 PM

Posted 31 October 2007 - 01:21 PM

Hi radioactivelaxative

The C:\WINDOWS\Debug\ folder and the PASSWD.LOG file in it are legit.
Now let’s see what the C:\WINDOWS\Debug\62D4F8F5DDAC.exe is.

Please visit the online Jotti Virus Scanner Posted Image<--link
  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:


    C:\WINDOWS\Debug\62D4F8F5DDAC.exe


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
http://www.virustotal.com/en/virustotalf.html
=====

Please download Combofix <--Link
  • Doubleclick combo.exe to launch the application.
  • Follow the prompts that will be displayed on the screen.
  • Don't click on the window while the fix is running, because that will cause your system to hang.
  • When finished, it should produce a log, combofix.txt.
  • Post this log in your next reply.
Note:
1. Close any open browsers.


Stelios

#3 radioactivelaxative

radioactivelaxative
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 31 October 2007 - 05:19 PM

VirusTotal's scan results
Antivirus	  Version	  Last Update	  Result
AhnLab-V3	2007.11.1.0	2007.10.31	-
AntiVir	7.6.0.30	2007.10.31	TR/Crypt.NSPM.Gen
Authentium	4.93.8	2007.10.31	-
Avast	4.7.1074.0	2007.10.31	Win32:Virtualizer
AVG	7.5.0.503	2007.10.31	BackDoor.Hupigon3.HA
BitDefender	7.2	2007.10.31	Trojan.Spy.Delf.NII
CAT-QuickHeal	9.00	2007.10.31	(Suspicious) - DNAScan
ClamAV	0.91.2	2007.10.31	-
DrWeb	4.44.0.09170	2007.10.31	-
eSafe	7.0.15.0	2007.10.28	suspicious Trojan/Worm
eTrust-Vet	31.2.5256	2007.10.31	-
Ewido	4.0	2007.10.31	-
FileAdvisor	1	2007.10.31	High threat detected
Fortinet	3.11.0.0	2007.10.19	-
F-Prot	4.3.2.48	2007.10.31	-
F-Secure	6.70.13030.0	2007.10.31	Trojan.Win32.Delf.aji
Ikarus	T3.1.1.12	2007.10.31	Backdoor.Win32.Agent.ahj
Kaspersky	7.0.0.125	2007.10.31	Trojan.Win32.Delf.aji
McAfee	5153	2007.10.31	PWS-OnlineGames.l.dr
Microsoft	1.2908	2007.10.31	-
NOD32v2	2630	2007.10.31	-
Norman	5.80.02	2007.10.31	W32/Hupigon.gen67
Panda	9.0.0.4	2007.10.31	Trj/QQPass.ARR
Rising	19.47.21.00	2007.10.31	-
Sophos	4.23.0	2007.10.31	Mal/Packer
Sunbelt	2.2.907.0	2007.10.31	VIPRE.Suspicious
Symantec	10	2007.10.31	Infostealer.Gampass
TheHacker	6.2.9.110	2007.10.27	-
VBA32	3.12.2.4	2007.10.31	BackDoor.Pigeon.1604
VirusBuster	4.3.26:9	2007.10.31	Packed/NSPack
Additional information
File size: 102912 bytes
MD5: 6ffedfadb5b8237c10122540af7240cb
SHA1: 5a178c0d0af7818588632484a51ae4c51bb23bfc
packers: NsPack
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=6ffedfadb5b8237c10122540af7240cb
packers: NSPack, PE_Patch, Klone.AF
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

=============================================================================
Jotti's scan results

File: 62D4F8F5DDAC.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 6ffedfadb5b8237c10122540af7240cb
Packers detected:
-
Bit9 reports: High threat detected (more info)
Scanner results
Scan taken on 31 Oct 2007 22:10:08 (GMT)
A-Squared 	
Found Trojan.Win32.Delf.aji
AntiVir 	
Found TR/Crypt.NSPM.Gen
ArcaVir 	
Found Trojan.Delf.Aji
Avast 	
Found Win32:Virtualizer
AVG Antivirus 	
Found BackDoor.Hupigon3.HA
BitDefender 	
Found Trojan.Spy.Delf.NII
ClamAV 	
Found nothing
CPsecure 	
Found nothing
Dr.Web 	
Found BackDoor.Pigeon.1604
F-Prot Antivirus 	
Found nothing
F-Secure Anti-Virus 	
Found Trojan.Win32.Delf.aji
Fortinet 	
Found nothing
Kaspersky Anti-Virus 	
Found Trojan.Win32.Delf.aji
NOD32 	
Found nothing
Norman Virus Control 	
Found W32/Hupigon.gen67
Panda Antivirus 	
Found Trj/QQPass.ARR
Rising Antivirus 	
Found nothing
Sophos Antivirus 	
Found Mal/Packer
VirusBuster 	
Found nothing
VBA32 	
Found BackDoor.Pigeon.1604

Edited by radioactivelaxative, 31 October 2007 - 05:20 PM.


#4 radioactivelaxative

radioactivelaxative
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 31 October 2007 - 06:01 PM

Combolog below and also attached.
--------------------------------------------------------------


ComboFix 07-10-29.1 - MIS 2007-11-01 9:47:54.1 - NTFSx86
Running from: C:\Downloads\Software\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-29 19:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-29 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-28 17:06 <DIR> d-------- C:\Documents and Settings\MIS\.housecall6.6
2007-10-23 16:15 <DIR> d---s---- C:\Documents and Settings\MIS\UserData
2007-10-23 14:38 <DIR> d-------- C:\Program Files\KeyScrambler
2007-10-23 14:38 113,128 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-10-19 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-19 15:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-19 15:18 <DIR> d-------- C:\Documents and Settings\MIS\Application Data\SUPERAntiSpyware.com
2007-10-19 15:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 17:11 <DIR> d-------- C:\Documents and Settings\MIS\Application Data\Grisoft
2007-10-18 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-18 17:11 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-17 19:14 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-17 12:47 <DIR> d-------- C:\Program Files\Google
2007-10-12 18:33 <DIR> d-------- C:\Documents and Settings\MIS\Application Data\Subversion
2007-10-12 16:57 <DIR> d-------- C:\Program Files\Subversion
2007-10-11 15:17 <DIR> d-------- C:\Program Files\SCAR 3.12
2007-10-10 18:18 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-09-30 16:51 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-09-25 20:05 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-09-19 16:24 <DIR> d-------- C:\WINDOWS\Sun
2007-09-19 15:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-09-19 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2007-09-19 15:28 <DIR> d-------- C:\Program Files\Java
2007-09-19 15:28 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-18 21:24 <DIR> d-------- C:\WINDOWS\_PrimaxInstallTempDir1
2007-09-15 20:25 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-15 18:04 <DIR> d-------- C:\Program Files\ANT 4 PizzaTimer
2007-09-11 13:31 <DIR> d-------- C:\Program Files\CamStudio
2007-09-11 13:12 <DIR> d-------- C:\Downloads
2007-09-11 10:18 <DIR> d-------- C:\Documents and Settings\MIS\Application Data\Free Download Manager
2007-09-10 22:37 1,416 --a------ C:\WINDOWS\mozver.dat
2007-09-10 21:19 <DIR> d-------- C:\Documents and Settings\MIS\Contacts
2007-09-10 18:14 <DIR> d-------- C:\Program Files\Free Download Manager
2007-09-10 18:11 <DIR> d-------- C:\Program Files\KC Softwares
2007-09-10 18:08 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-10 18:08 <DIR> d-------- C:\Program Files\MSN Messenger
2007-09-10 18:06 <DIR> d-------- C:\WINDOWS\_PrimaxInstallTempDir0
2007-09-10 18:06 229,376 --a------ C:\WINDOWS\system32\PMUNINST.EXE
2007-09-10 01:20 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-10 01:20 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-10 01:20 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-09 18:18 <DIR> d-------- C:\Program Files\Axife Mouse Recorder DEMO
2007-09-09 11:50 <DIR> d-------- C:\Documents and Settings\MIS\Application Data\Talkback
2007-09-09 11:49 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-07 09:03 <DIR> d-------- C:\WINDOWS\FLV Player
2007-09-07 08:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-09-07 08:34 <DIR> d-------- C:\Program Files\FLV Player
2007-09-03 22:39 <DIR> d-------- C:\Program Files\Strategist Checkers

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 12:53 --------- d-----w C:\Program Files\RKFree
2007-10-25 06:12 --------- d-----w C:\Program Files\QuickTime
2007-10-25 06:09 --------- d-----w C:\Program Files\DivX
2007-09-19 04:43 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-19 04:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-19 04:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-15 07:29 --------- d-----w C:\Program Files\Jets N Guns
2007-09-12 04:14 --------- d-----w C:\Program Files\StepMania
2007-09-09 00:42 --------- d-----w C:\Program Files\GameHouse
2007-09-01 13:54 --------- d-----w C:\Program Files\MagicBalls
2007-08-27 11:12 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-09 13:09 584,192 ----a-w C:\WINDOWS\system32\rpcrt4.dll
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Glide"="C:\Glide\glidew32.exe" [2000-04-26 14:06]
"CirqueGesture"="C:\Glide\gesture.exe" [2000-04-26 14:07]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{7F7A1EDD-E15E-41ED-AA85-06EA55C7E13A}"= C:\WINDOWS\Debug\62D4F8F5DDAC.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Amon]
"C:\Program Files\Eset\amon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nod32CC]
"C:\WINDOWS\system32\nod32cc.exe" -DONTSHOW

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
"gusvc"=2 (0x2)
"VGADown"=2 (0x2)
"MDM"=2 (0x2)
"NOD32Service"=2 (0x2)
"NOD32ControlCenter"=2 (0x2)

R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys
R3 Maestro;ESS Maestro2E Audio Driver (WDM);C:\WINDOWS\system32\drivers\essm2e.sys
R3 OBOE;Toshiba FIR Port Type-DO;C:\WINDOWS\system32\DRIVERS\tos4mo.sys
R3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys
S4 NOD32ControlCenter;NOD32 Control Center Service;"C:\WINDOWS\system32\nod32cc.exe" -service
S4 NOD32Service;NOD32 Service;"C:\WINDOWS\system32\nod32m2.exe"

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 09:53:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-01 9:56:10
.
--- E O F ---

---------------------------------
thanks,
RL

Attached Files



#5 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:39 PM

Posted 01 November 2007 - 01:01 PM

Hi radioactivelaxative

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\Debug\62D4F8F5DDAC.exe
C:\WINDOWS\Debug\62D4F8F5DDAC.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{7F7A1EDD-E15E-41ED-AA85-06EA55C7E13A}"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt" post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please stay away from the internet [only to come here] until we clean your comp enable your antivirus and install a firewall.
I’ll lets you know.

Why you have disabled your antivirus?? Not having real-time anti-virus protection leaves you open to malware!!!


Stelios

#6 radioactivelaxative

radioactivelaxative
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 01 November 2007 - 05:20 PM

Hi DASOS,

I did as you requested. I disabled NOD cause its updates were not working for me (i don't know why :S) and I feel AVG is easier to use at the moment. I thought AVG with 'Resident Shield' on was real-time protection. :thumbsup:.

Anyways combofix's log is as follows:

ComboFix 07-10-29.1 - MIS 2007-11-02  8:59:08.2 - NTFSx86 
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.125 [GMT 11:00]
Running from: C:\Downloads\Software\ComboFix.exe
Command switches used :: C:\Downloads\Software\CFScript.txt
 * Created a new restore point

FILE::
C:\WINDOWS\Debug\62D4F8F5DDAC.dll
C:\WINDOWS\Debug\62D4F8F5DDAC.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Debug\62D4F8F5DDAC.exe

.
(((((((((((((((((((((((((   Files Created from 2007-10-01 to 2007-11-01  )))))))))))))))))))))))))))))))
.

2007-11-01 09:44	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-29 19:05	<DIR>	d--------	C:\Program Files\Trend Micro
2007-10-29 19:03	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-28 17:06	<DIR>	d--------	C:\Documents and Settings\MIS\.housecall6.6
2007-10-23 16:15	<DIR>	d---s----	C:\Documents and Settings\MIS\UserData
2007-10-23 14:38	<DIR>	d--------	C:\Program Files\KeyScrambler
2007-10-23 14:38	113,128	--a------	C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-10-19 15:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-19 15:18	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware
2007-10-19 15:18	<DIR>	d--------	C:\Documents and Settings\MIS\Application Data\SUPERAntiSpyware.com
2007-10-19 15:15	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 17:11	<DIR>	d--------	C:\Documents and Settings\MIS\Application Data\Grisoft
2007-10-18 17:11	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-18 17:11	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-17 19:14	<DIR>	d--------	C:\Program Files\XoftSpySE
2007-10-17 12:47	<DIR>	d--------	C:\Program Files\Google
2007-10-12 18:33	<DIR>	d--------	C:\Documents and Settings\MIS\Application Data\Subversion
2007-10-12 16:57	<DIR>	d--------	C:\Program Files\Subversion
2007-10-11 15:17	<DIR>	d--------	C:\Program Files\SCAR 3.12
2007-10-10 18:18	584,192	-----c---	C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 13:28	---------	d-----w	C:\Documents and Settings\MIS\Application Data\Free Download Manager
2007-10-29 12:53	---------	d-----w	C:\Program Files\RKFree
2007-10-25 06:13	---------	d-----w	C:\Program Files\Strategist Checkers
2007-10-25 06:12	---------	d-----w	C:\Program Files\QuickTime
2007-10-25 06:09	---------	d-----w	C:\Program Files\DivX
2007-09-19 04:44	---------	d-----w	C:\Program Files\Common Files\Adobe Systems Shared
2007-09-19 04:44	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Macrovision
2007-09-19 04:43	---------	d-----w	C:\Program Files\Common Files\Adobe
2007-09-19 04:40	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-09-19 04:38	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-09-19 04:29	---------	d-----w	C:\Program Files\Java
2007-09-19 04:28	---------	d-----w	C:\Program Files\Common Files\Java
2007-09-15 07:29	---------	d-----w	C:\Program Files\Jets N Guns
2007-09-15 07:04	---------	d-----w	C:\Program Files\ANT 4 PizzaTimer
2007-09-15 07:02	---------	d-----w	C:\Program Files\Free Download Manager
2007-09-12 04:14	---------	d-----w	C:\Program Files\StepMania
2007-09-12 04:13	---------	d-----w	C:\Program Files\CamStudio
2007-09-10 07:11	---------	d-----w	C:\Program Files\KC Softwares
2007-09-10 07:08	---------	d-----w	C:\Program Files\MSN Messenger
2007-09-09 07:18	---------	d-----w	C:\Program Files\Axife Mouse Recorder DEMO
2007-09-09 00:50	---------	d-----w	C:\Documents and Settings\MIS\Application Data\Talkback
2007-09-09 00:42	---------	d-----w	C:\Program Files\GameHouse
2007-09-06 22:03	---------	d-----w	C:\Program Files\FLV Player
2007-09-01 13:54	---------	d-----w	C:\Program Files\MagicBalls
2007-08-27 11:12	164,352	----a-w	C:\WINDOWS\system32\SpoonUninstall.exe
2007-08-21 06:15	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
1998-12-09 02:53	99,840	----a-w	C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53	70,144	----a-w	C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53	48,640	----a-w	C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53	31,744	----a-w	C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53	186,368	----a-w	C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53	17,920	----a-w	C:\Program Files\Common Files\IRASRIAL.DLL
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Glide"="C:\Glide\glidew32.exe" [2000-04-26 14:06]
"CirqueGesture"="C:\Glide\gesture.exe" [2000-04-26 14:07]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Amon]
"C:\Program Files\Eset\amon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nod32CC]
"C:\WINDOWS\system32\nod32cc.exe" -DONTSHOW

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
"gusvc"=2 (0x2)
"VGADown"=2 (0x2)
"MDM"=2 (0x2)
"NOD32Service"=2 (0x2)
"NOD32ControlCenter"=2 (0x2)

R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys
R3 Maestro;ESS Maestro2E Audio Driver (WDM);C:\WINDOWS\system32\drivers\essm2e.sys
R3 OBOE;Toshiba FIR Port Type-DO;C:\WINDOWS\system32\DRIVERS\tos4mo.sys
R3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys
S4 NOD32ControlCenter;NOD32 Control Center Service;"C:\WINDOWS\system32\nod32cc.exe" -service
S4 NOD32Service;NOD32 Service;"C:\WINDOWS\system32\nod32m2.exe"

.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 09:04:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-11-02  9:06:55
C:\ComboFix2.txt ... 2007-11-01 09:56
.
	--- E O F ---



HijackThis Log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:38 AM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [Glide] C:\Glide\glidew32.exe
O4 - HKLM\..\Run: [CirqueGesture] C:\Glide\gesture.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141808885619
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEF74E8E-1AD5-427F-9C76-A170CB5ECFE9}: NameServer = 203.88.255.99 203.122.64.4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 3778 bytes


Thanks
RL

#7 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:39 PM

Posted 02 November 2007 - 04:29 PM

Hi RL

Please don’t code or quote the log(s) it’s hard to read.

AVG it’s an Anti-Spyware not an antivirus, AVG’s Resident Shield and update if you haven’t pay for it it works only for 30 days, then you need to update the program manually, also if someone haven’t pay for NOD 32 the update will stop after the trial days, either way the antivirus job it’s different, and NOD32 in my opinion is the top antivirus. There are also some very good free alternatives AVG AVAST AVIRA
=====

Please go HERE to run Panda's Posted Image ActiveScan
  • Note: This Scanner is for Internet Explorer Only!
  • Once you are on the Panda site click the Posted Image button
  • A new window will open.
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Posted Image
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Posted Image to start the scan
  • When the scan completes, if anything malicious is detected, click the Posted Image button, then click the Posted Image button and save it to a convenient location. Post the contents of the ActiveScan report
=====

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
=====


Please post back:

The panda report and a new HijackThis log.

Enable your antivirus but don’t install a firewall yet, I’ll let you know!!


Stelios :thumbsup:

#8 radioactivelaxative

radioactivelaxative
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 07 November 2007 - 10:07 PM

Hi Dasos,

Panda report as follows:


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Downloads\Software\ComboFix.exe[nircmd.exe]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Downloads\Software\ComboFix.exe[nircmd.cfexe]


Virus:Trj/QQPass.ARR Disinfected C:\qoobox\Quarantine\C\WINDOWS\Debug\62D4F8F5DDAC.exe.vir

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe


-----------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:21 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Eset\amon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [Glide] C:\Glide\glidew32.exe
O4 - HKLM\..\Run: [CirqueGesture] C:\Glide\gesture.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Nod32CC] "C:\WINDOWS\system32\nod32cc.exe" -DONTSHOW
O4 - HKLM\..\Run: [Amon] "C:\Program Files\Eset\amon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141808885619
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEF74E8E-1AD5-427F-9C76-A170CB5ECFE9}: NameServer = 203.88.255.99 203.122.64.4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 4338 bytes





Thanks,
RL

#9 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:39 PM

Posted 09 November 2007 - 01:26 PM

Hi RL

Your log is clean! Great job!

Click Start and then Run, and type or copy paste combofix /u and press the ok button. This command deletes ComboFix and the files which dropped onto the machine.
=====

IMPORTANT It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer. Your log doesn't show a firewall running. If you have disabled it, please re-enable it. If you do not have a firewall installed, please download and instal one of these excellent (and free) products:
Comodo Zone Alarm or Sygate

It is important to note that you should only have one firewall installed at a time, but you can download all to your Desktop and install each in turn to see which one you prefer.

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution.
=====

Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!


Stelios




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users