Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help W/ Antispy Storm Infection


  • Please log in to reply
9 replies to this topic

#1 troms

troms

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 02 November 2007 - 10:41 PM

Hi,

I could really use you're help with this infection I have. I came across your website out of desperation. Anything I've tried so far hasn't worked.

My desktop's wallpaper has been changed to a big red warning that reads, "Warning! Spyware threat has been detected on your PC". I constantly receive popups in my System tray, telling me that I need antivirus protection. When I click on the messages, they bring up the following URL: C:\WINDOWS\system32\drivers\pt.htm (PCSecurityLab.com) with an antispyware product 'Antispy Storm'.

I've tried all the steps mentioned on this website to no avail. Please help!

I've included my HijackThis log for your review. Thanks in advance.
Troms

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:52 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\vvgeowbv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\ldbqmemA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 194.54.90.238 google.com
O1 - Hosts: 194.54.90.238 google.ca
O1 - Hosts: 194.54.90.238 www.google.com
O1 - Hosts: 194.54.90.238 search.yahoo.com
O1 - Hosts: 194.54.90.238 search.msn.com
O1 - Hosts: 194.54.90.238 search.live.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {67601C84-D63C-81EF-1A16-8E8DBD278F9B} - C:\WINDOWS\system32\bxq.dll (file missing)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {73d0d912-1dd2-11b2-bd4a-a3c5d4711530} - C:\WINDOWS\ovedwnyf.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ldbqmemA] C:\WINDOWS\ldbqmemA.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.notesathome.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase50/OrgPubX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup143.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05D8E0F8-E817-4767-BE25-15DDF175F018}: Domain = nyse.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{05D8E0F8-E817-4767-BE25-15DDF175F018}: NameServer = 159.125.152.129,159.125.152.130
O21 - SSODL: System - {B5BB0FB8-C441-458E-BDA1-4D08B2482B00} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11506 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 03 November 2007 - 08:47 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum troms :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

First temporarily disable SpySweeper,this is important,or it will interfere,follow the instructions in the link below:
http://wiki.castlecops.com/Malware_Removal...toring_Programs

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.


Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 194.54.90.238 google.com
O1 - Hosts: 194.54.90.238 google.ca
O1 - Hosts: 194.54.90.238 www.google.com
O1 - Hosts: 194.54.90.238 search.yahoo.com
O1 - Hosts: 194.54.90.238 search.msn.com
O1 - Hosts: 194.54.90.238 search.live.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {67601C84-D63C-81EF-1A16-8E8DBD278F9B} - C:\WINDOWS\system32\bxq.dll (file missing)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

Exit Hijackthis.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 troms

troms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 03 November 2007 - 06:16 PM

Thanks Richie, I did what you asked and the following if from the Combofix log:

ComboFix 07-11-04.1 - Damian Trombetta 2007-11-04 19:09:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.419 [GMT -5:00]
Running from: C:\Documents and Settings\Damian Trombetta\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\Accoona
C:\Program Files\akl
C:\Program Files\amsys
C:\Program Files\e-zshopper
C:\Program Files\p2pnetworks

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-03 17:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 17:29 18,432 --a------ C:\WINDOWS\fkwggshm.exe
2007-11-02 22:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-02 21:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-02 20:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-02 20:47 <DIR> d-------- C:\Documents and Settings\Damian Trombetta\.housecall6.6
2007-11-02 20:34 <DIR> d-------- C:\WINDOWS\Sun
2007-11-02 20:20 18,176 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-31 19:58 <DIR> d-------- C:\VundoFix Backups
2007-10-30 13:13 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-30 13:12 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-30 12:51 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-30 12:50 123,908 --a------ C:\WINDOWS\system32\vvgeowbv.exe
2007-10-30 12:49 <DIR> d-------- C:\WINDOWS\system32\Mz15r
2007-10-30 12:49 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-10-30 12:49 <DIR> d-------- C:\temp\mZOr
2007-10-30 12:49 72,704 --a------ C:\WINDOWS\ovedwnyf.dll
2007-10-30 12:49 3,638 --a------ C:\info.exe
2007-10-30 12:44 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 00:09 --------- d-----w C:\Documents and Settings\Damian Trombetta\Application Data\BitTorrent DNA
2007-11-03 01:30 --------- d-----w C:\Program Files\Java
2007-11-02 22:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-31 04:22 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-31 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 04:17 --------- d-----w C:\Program Files\Symantec
2007-10-31 04:16 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-31 04:16 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-31 04:16 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 04:16 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-30 19:58 --------- d-----w C:\Documents and Settings\Damian Trombetta\Application Data\RegClean
2007-10-30 17:43 164 ----a-w C:\install.dat
2007-10-22 01:02 --------- d-----w C:\Documents and Settings\Damian Trombetta\Application Data\BitTorrent
2007-10-03 19:22 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-10-03 19:22 --------- d-----w C:\Program Files\BitTorrent
2007-10-01 20:40 1,526,072 ----a-w C:\WINDOWS\WRSetup.dll
2007-10-01 20:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 20:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 20:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-17 18:23 --------- d-----w C:\Documents and Settings\Damian Trombetta\Application Data\dvdcss
2007-09-06 13:45 --------- d-----w C:\Program Files\Google
2007-08-22 23:21 1,592,727 --sh--w C:\WINDOWS\system32\uwwxx.ini2
2007-08-22 22:25 1,589,025 --sh--w C:\WINDOWS\system32\uwwxx.bak2
2007-08-22 04:10 1,589,582 --sh--w C:\WINDOWS\system32\uwwxx.bak1
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
1989-12-12 14:10:10 216,352 --sh--r C:\WINDOWS\ldbqmemA.exe
2007-08-01 02:08:41 1,731,037 --sha-w C:\WINDOWS\system32\hkllm.bak1
2007-08-01 19:55:25 1,729,968 --sha-w C:\WINDOWS\system32\hkllm.bak2
2007-08-01 20:08:15 1,730,395 --sha-w C:\WINDOWS\system32\hkllm.ini2
2007-07-19 02:03:18 6,365 --sha-w C:\WINDOWS\system32\jllnn.bak1
2007-07-29 21:36:37 1,739,282 --sha-w C:\WINDOWS\system32\jllnn.bak2
2007-07-30 13:12:59 1,740,525 --sha-w C:\WINDOWS\system32\jllnn.ini2
.

((((((((((((((((((((((((((((( snapshot@2007-11-04_18.52.33.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 22:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-08-25 01:19:57 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-04 23:51:53 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-08-25 01:19:57 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 23:51:53 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-22 22:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73d0d912-1dd2-11b2-bd4a-a3c5d4711530}]
2007-10-30 12:50 72704 --a------ C:\WINDOWS\ovedwnyf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ldbqmemA"="C:\WINDOWS\ldbqmemA.exe" [1989-12-12 09:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-05-22 13:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 15:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"LDM"="\Program\BackWeb-8876480.exe" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 19:28]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 12:32]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-03 14:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"LDM"=\Program\BackWeb-8876480.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2003-12-28 23:10:22]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-04-16 09:43:19]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-07-07 16:20:31]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 18:49 24672 C:\WINDOWS\system32\ckpNotify.dll

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys
S3 AKSIFDH;Aladdin IFD Handler;C:\WINDOWS\system32\DRIVERS\aksifdh.sys
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-07 17:28:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-03 00:35:52 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Damian Trombetta.job"
- C:\PROGRA~1\NORTON~2\Navw32.exe
"2007-11-04 23:49:13 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
"2007-10-30 17:41:51 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 19:12:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-04 19:13:25
C:\ComboFix2.txt ... 2007-11-04 18:54
.
--- E O F ---

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 03 November 2007 - 06:48 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\ovedwnyf.dll
C:\WINDOWS\system32\uwwxx.ini2
C:\WINDOWS\system32\uwwxx.bak2
C:\WINDOWS\system32\uwwxx.bak1
C:\WINDOWS\system32\hkllm.bak1
C:\WINDOWS\system32\hkllm.bak2
C:\WINDOWS\system32\hkllm.ini2
C:\WINDOWS\system32\jllnn.bak1
C:\WINDOWS\system32\jllnn.bak2
C:\WINDOWS\system32\jllnn.ini2
Folder::
C:\temp\mZOr
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73d0d912-1dd2-11b2-bd4a-a3c5d4711530}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ldbqmemA"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"=-
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 troms

troms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 04 November 2007 - 10:43 AM

Here you go Richie...

Combofix.txt Log:

ComboFix 07-11-04.1 - Damian Trombetta 2007-11-04 21:25:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.415 [GMT -5:00]
Running from: C:\Documents and Settings\Damian Trombetta\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Damian Trombetta\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\ovedwnyf.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\hkllm.bak1
C:\WINDOWS\system32\hkllm.bak2
C:\WINDOWS\system32\hkllm.ini2
C:\WINDOWS\system32\jllnn.bak1
C:\WINDOWS\system32\jllnn.bak2
C:\WINDOWS\system32\jllnn.ini2
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\uwwxx.bak1
C:\WINDOWS\system32\uwwxx.bak2
C:\WINDOWS\system32\uwwxx.ini2
C:\WINDOWS\system32\vvgeowbv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\mZOr
C:\VundoFix Backups
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\ovedwnyf.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\hkllm.bak1
C:\WINDOWS\system32\hkllm.bak2
C:\WINDOWS\system32\hkllm.ini2
C:\WINDOWS\system32\jllnn.bak1
C:\WINDOWS\system32\jllnn.bak2
C:\WINDOWS\system32\jllnn.ini2
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\uwwxx.bak1
C:\WINDOWS\system32\uwwxx.bak2
C:\WINDOWS\system32\uwwxx.ini2
C:\WINDOWS\system32\vvgeowbv.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-03 17:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 22:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-02 21:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-02 20:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-02 20:47 <DIR> d-------- C:\Documents and Settings\Damian Trombetta\.housecall6.6
2007-11-02 20:34 <DIR> d-------- C:\WINDOWS\Sun
2007-10-30 13:12 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-30 12:49 <DIR> d-------- C:\WINDOWS\system32\Mz15r
2007-10-30 12:49 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-10-30 12:49 3,638 --a------ C:\info.exe
2007-10-30 12:44 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 02:29 --------- d-----w C:\Documents and Settings\Damian Trombetta\Application Data\BitTorrent DNA
2007-11-03 01:30 --------- d-----w C:\Program Files\Java
2007-11-02 22:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-31 04:22 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-31 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 04:17 --------- d-----w C:\Program Files\Symantec
2007-10-31 04:16 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-31 04:16 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 04:16 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-30 19:58 --------- d-----w C:\Documents and Settings\Damian Trombetta\Application Data\RegClean
2007-10-30 17:43 164 ----a-w C:\install.dat
2007-10-22 01:02 --------- d-----w C:\Documents and Settings\Damian Trombetta\Application Data\BitTorrent
2007-10-03 19:22 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-10-03 19:22 --------- d-----w C:\Program Files\BitTorrent
2007-10-01 20:40 1,526,072 ----a-w C:\WINDOWS\WRSetup.dll
2007-10-01 20:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 20:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 20:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-17 18:23 --------- d-----w C:\Documents and Settings\Damian Trombetta\Application Data\dvdcss
2007-09-06 13:45 --------- d-----w C:\Program Files\Google
1989-12-12 14:10:10 216,352 --sh--r C:\WINDOWS\ldbqmemA.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-04_18.52.33.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 22:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-08-25 01:19:57 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-05 02:35:20 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-08-25 01:19:57 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-05 02:35:20 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-22 22:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22]
"RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-05-22 13:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 15:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"LDM"="\Program\BackWeb-8876480.exe" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 19:28]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 12:32]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-03 14:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"LDM"=\Program\BackWeb-8876480.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2003-12-28 23:10:22]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-04-16 09:43:19]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-07-07 16:20:31]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 18:49 24672 C:\WINDOWS\system32\ckpNotify.dll

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys
S3 AKSIFDH;Aladdin IFD Handler;C:\WINDOWS\system32\DRIVERS\aksifdh.sys
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-07 17:28:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-03 00:35:52 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Damian Trombetta.job"
- C:\PROGRA~1\NORTON~2\Navw32.exe
"2007-11-05 16:33:16 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
"2007-10-30 17:41:51 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 11:34:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 11:37:38 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-04 19:13
C:\ComboFix3.txt ... 2007-11-04 18:54
.
--- E O F ---
==========================================================

HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:21 AM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.notesathome.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase50/OrgPubX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup143.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05D8E0F8-E817-4767-BE25-15DDF175F018}: Domain = nyse.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{05D8E0F8-E817-4767-BE25-15DDF175F018}: NameServer = 159.125.152.129,159.125.152.130
O21 - SSODL: System - {B5BB0FB8-C441-458E-BDA1-4D08B2482B00} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9028 bytes

Thanks

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 04 November 2007 - 11:22 AM

Temporarily disable SpySweeper again,this is important,or it will interfere,follow the instructions in the link below:
http://wiki.castlecops.com/Malware_Removal...toring_Programs

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\ldbqmemA.exe
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Click OK at any 'PendingFileRenameOperations' prompt.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase50/OrgPubX.cab
O21 - SSODL: System - {B5BB0FB8-C441-458E-BDA1-4D08B2482B00} - (no file)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 troms

troms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 06 November 2007 - 07:30 AM

Hi Richie,

F-Secure Scan Log:

Scanning Report
Tuesday, November 06, 2007 23:14:18 - 07:16:50
Computer name: DEEZWORLDPC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\

--------------------------------------------------------------------------------

Result: 14 malware found
BargainBuddy (spyware)
System (Disinfected)
Password-protected-EXE (virus)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite58.zip (Submitted)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite60.zip (Submitted)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer9.zip (Submitted)
Trojan-Downloader.Win32.Tiny.zg (virus)
C:\info.exe (Renamed & Submitted)
Trojan-Downloader.Win32.VB.ang (virus)
C:\!KillBox\ldbqmemA.exe (Renamed & Submitted)
Trojan-Dropper.Win32.Small.hz (virus)
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\22C32483.exe (Renamed & Submitted)
Trojan.JS.StartPage.r (virus)
C:\WINDOWS\system32\secure32.txt (Renamed & Submitted)
Vundo.gen38 (virus)
C:\WINDOWS\system32\uorwtmth.ini (Submitted)
Win32.Spyware.Acoona (spyware)
System (Disinfected)
Zlob.gen94 (virus)
C:\qoobox\Quarantine\C\WINDOWS\ovedwnyf.dll.vir (Submitted)
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\vgvsrerk.dll.vir (Submitted)
not-virus:Hoax.Win32.Renos.kj (virus)
C:\qoobox\Quarantine\C\WINDOWS\system32\vvgeowbv.exe.vir (Submitted)
not-virus:Hoax.Win32.Renos.y (virus)
C:\WINDOWS\system32\secure33.txt (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 165764
System: 11516
Not scanned: 502
Actions:
Disinfected: 2
Renamed: 4
Deleted: 0
None: 8
Submitted: 12
Files not scanned:
8?ˁx t AGEFILE.SYS
C:\WINDOWS\TEMP\{FC4051A9-72EF-48DC-93AF-455650EE6B49}
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\RECYCLER\NPROTECT\00015999.
C:\RECYCLER\NPROTECT\00016104.
C:\RECYCLER\NPROTECT\00016106.
C:\RECYCLER\NPROTECT\00016138.
C:\RECYCLER\NPROTECT\00039814
C:\RECYCLER\NPROTECT\00039817
C:\RECYCLER\NPROTECT\00039822.PF
C:\RECYCLER\NPROTECT\00040073
C:\RECYCLER\NPROTECT\00040074
C:\qoobox\Quarantine\C\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip.vir.vir\assist/asbar.dll
C:\qoobox\Quarantine\C\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip.vir.vir\assist/asbar.dll
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\MASTERS.BASE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\MASTERS\MASTERS.BAK
C:\PROGRAM FILES\SNES\ZELDA3.SRM
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_INTRO.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_MENU.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_MENU_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB1.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB1_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB2.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB2_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB3.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB3_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB4.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB4_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB5.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB5_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB6.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB6_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE1.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE1_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE2.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE2_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE3.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE3_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE4.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE4_REV.MP3
C:\PROGRAM FILES\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE5.MP3
C:\PROGRAM FILES\NERO\NERO 7\NER끭 T

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-11-04
F-Secure AVP: 7.0.171, 2007-11-05
F-Secure Orion: 1.2.37, 2007-11-05
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Pegasus: 1.19.0, 2007-10-04
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics
===================================
SuperAnti Spyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/06/2007 at 01:53 AM

Application Version : 3.9.1008

Core Rules Database Version : 3337
Trace Rules Database Version: 1338

Scan type : Complete Scan
Total Scan Time : 01:11:38

Memory items scanned : 599
Memory threats detected : 0
Registry items scanned : 6393
Registry threats detected : 0
File items scanned : 33282
File threats detected : 16

Adware.Tracking Cookie
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@hitbox[2].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@adlegend[2].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@cgi-bin[2].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@advertising[1].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@media.adrevolver[1].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@atdmt[2].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@adserver[1].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@mediaplex[1].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@questionmarket[2].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@ad.yieldmanager[2].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@revsci[2].txt
C:\Documents and Settings\Damian Trombetta\Cookies\damian trombetta@ads.pointroll[2].txt

Trojan.Downloader-Gen/MobRules
C:\SYSTEM VOLUME INFORMATION\_RESTORE{73404DD8-E395-4736-A051-450C0B0EC897}\RP193\A0043582.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{73404DD8-E395-4736-A051-450C0B0EC897}\RP195\A0043759.DLL

Trojan.Unknown Origin
C:\WINDOWS\TEMPF.TXT
================================

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:40 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.notesathome.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup143.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05D8E0F8-E817-4767-BE25-15DDF175F018}: Domain = nyse.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{05D8E0F8-E817-4767-BE25-15DDF175F018}: NameServer = 159.125.152.129,159.125.152.130
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8687 bytes
================================

It seems better so far but I haven't had a chance to play around yet. I'll let you know later on how I'm running. Thanks again!

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 06 November 2007 - 08:33 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#9 troms

troms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 06 November 2007 - 09:53 PM

Everything seems to be working now. I greatly appreciate your help and would be happy to give a donation. One last question...

Is it ok to have SUPERAntiSpyware & Webroot SpySweeper both installed on my PC and should I uninstall HijackThis?

Thanks again!

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 07 November 2007 - 03:52 AM

Is it ok to have SUPERAntiSpyware & Webroot SpySweeper both installed on my PC

They'll be fine together,but If you start experiencing system slowdowns i suggest you remove/uninstall SUPERAntiSpyware.

and should I uninstall HijackThis?

Yes
:thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users