Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Tr/fotomoto.f.1


  • This topic is locked This topic is locked
15 replies to this topic

#1 Yitzchak Ranjbar

Yitzchak Ranjbar

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 10 November 2007 - 10:42 AM

Hi, this is my first post ever on any forum.

I was off downloading some things I probably shouldn't have and I came across a ton of spyware. Luckily, I was running antivir's guard but I still get swamped with pop ups every time I open internet explorer; I am using Mozilla Firefox right now (and it's great) but I want to get rid of all the malware just for the sake of having it gone (plus I get an annoying pop up around three minutes after startup.

Also, on every startup, antivir finds the file:C:\Documents and Settings\WarMonkey\Local Settings\Temporary Internet Files\Content.IE5\09IZWXAB\pochki20071106[1]


With all that said, here is my Hijack This log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:57 AM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [040dda97] rundll32.exe "C:\WINDOWS\system32\khiuntjp.dll",b
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\system32\imapi32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\DOCUME~1\WARMON~1\LOCALS~1\Temp\Rar$EX00.625\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\DOCUME~1\WARMON~1\LOCALS~1\Temp\Rar$EX00.625\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\DOCUME~1\WARMON~1\LOCALS~1\Temp\Rar$EX00.625\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193509895078
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\amixjhqf.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6655 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 10 November 2007 - 12:37 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Using My Computer, navigate to where you have HijackThis saved.
Right-click on the HijackThis.exe file.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe from now on.

You are using peer-to-peer programs, specifically uTorrent and BitComet.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.
For more information about infections as a result of p2p programs, take a look here: http://p2p.malwareremoval.com/

Then please scan once more with the renamed HijackThis file and post the log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Yitzchak Ranjbar

Yitzchak Ranjbar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 10 November 2007 - 05:26 PM

I uninstalled BitComet weeks ago, but it still shows up in the HijackThis scan. Anyway, here is the new log with uTorrent uninstalled:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:38 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - C:\WINDOWS\system32\fccaawt.dll (file missing)
O2 - BHO: (no name) - {2E540FB6-B92D-4413-89FA-D53B581A6511} - (no file)
O2 - BHO: (no name) - {30CB7134-23C2-4A49-89E3-9F547653D67A} - (no file)
O2 - BHO: (no name) - {355B05AB-9B6C-462B-8869-409872EB75D0} - (no file)
O2 - BHO: (no name) - {45BE15C3-3FAE-4E81-86AF-181F7B83CC73} - C:\WINDOWS\system32\geebb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {756C987B-B3F7-46C8-9BF0-C30D6420C36C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [040dda97] rundll32.exe "C:\WINDOWS\system32\khiuntjp.dll",b
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\system32\imapi32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\DOCUME~1\WARMON~1\LOCALS~1\Temp\Rar$EX00.625\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\DOCUME~1\WARMON~1\LOCALS~1\Temp\Rar$EX00.625\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\DOCUME~1\WARMON~1\LOCALS~1\Temp\Rar$EX00.625\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193509895078
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - Winlogon Notify: fccaawt - fccaawt.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\amixjhqf.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7496 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 11 November 2007 - 10:04 AM

Hello again,
It looks like there are still some leftovers from BitComet left, but we'll clean them up later on.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Yitzchak Ranjbar

Yitzchak Ranjbar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 11 November 2007 - 12:53 PM

It did not detect anything, but I checked and removed a few files (with file missing) on hijack this prior to the scan. I googled the files listed on the HijackThis log and it seems geebb.dll is not part of the original c:/windows/system32 folder.

Anyway, here are my HijackThis and VundoFix logs:


VundoFix V6.5.11

Checking Java version...

Scan started at 10:33:44 AM 11/11/2007

Listing files found while scanning....


VundoFix V6.5.11

Checking Java version...

Scan started at 10:35:18 AM 11/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...




__________________________




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:15 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\VundoFix.exe
C:\Program Files\zsnesw142\zsnesw.exe
C:\Program Files\HijackThis\fluffybunny.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {612E024C-34BF-40DF-B328-CF55EF33F569} - C:\WINDOWS\system32\geebb.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {71B55B28-995C-4A0C-870D-C8B46EFBD945} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min /ns
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\DOCUME~1\WARMON~1\LOCALS~1\Temp\Rar$EX00.625\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\DOCUME~1\WARMON~1\LOCALS~1\Temp\Rar$EX00.625\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\DOCUME~1\WARMON~1\LOCALS~1\Temp\Rar$EX00.625\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193509895078
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6934 bytes

Edited by Yitzchak Ranjbar, 11 November 2007 - 12:54 PM.


#6 Yitzchak Ranjbar

Yitzchak Ranjbar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 11 November 2007 - 05:29 PM

Okay, I removed all the malware myself and this is how I did it:

1. I ran a combo fix scan.
2. I went into safe mode with command prompt (normal safe mode does not work for some reason).
3. I deleted all the files combofix said it could not delete (using the ComboFix log).

Thank you for your time.

Here is my new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\fluffybunny.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
O2 - BHO: (no name) - {612E024C-34BF-40DF-B328-CF55EF33F569} - (no file)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {71B55B28-995C-4A0C-870D-C8B46EFBD945} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min /ns
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193509895078
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6359 bytes



This post was made using Internet Explorer.

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 13 November 2007 - 12:23 PM

Can I have a look at the Combofix log please? There are still leftovers that need taking care of.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 Yitzchak Ranjbar

Yitzchak Ranjbar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 13 November 2007 - 10:42 PM

Here is my ComboFix log:


ComboFix 07-11-08.1 - WarMonkey 2007-11-11 14:27:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.161 [GMT -7:00]
Running from: C:\Downloads\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\ppatch~1
C:\WINDOWS\ppatch~1\??pPatch\
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.tmp
C:\WINDOWS\system32\geebb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 14:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 12:21 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\SiteAdvisor
2007-11-11 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-11 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-11 10:38 79,936 --a------ C:\WINDOWS\system32\ivagvqvj.dll
2007-11-11 10:35 88,128 --a------ C:\WINDOWS\system32\ipnqtamh.dll
2007-11-11 10:33 <DIR> d-------- C:\VundoFix Backups
2007-11-11 00:25 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-11 00:25 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-10 20:15 <DIR> d-------- C:\Program Files\Roms
2007-11-10 20:07 <DIR> d-------- C:\Program Files\zsnesw142
2007-11-10 16:54 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\Uniblue
2007-11-10 08:30 81,472 --a------ C:\WINDOWS\system32\lyxgcbto.dll
2007-11-10 08:24 85,056 --a------ C:\WINDOWS\system32\kvmcnxyl.dll
2007-11-09 21:28 77,888 --a------ C:\WINDOWS\system32\wsotukou.dll
2007-11-09 20:21 1,267,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-09 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-09 20:16 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-09 20:16 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-11-09 20:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-09 20:13 88,128 --a------ C:\WINDOWS\system32\kgskbhbg.dll
2007-11-09 20:10 77,888 --a------ C:\WINDOWS\system32\nipkwfoe.dll
2007-11-09 18:49 77,888 --a------ C:\WINDOWS\system32\ihuruttu.dll
2007-11-09 17:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-09 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 14:26 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-11-09 14:26 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\Thunderbird
2007-11-09 13:44 77,888 --a------ C:\WINDOWS\system32\bvonsmgt.dll
2007-11-09 13:28 77,888 --a------ C:\WINDOWS\system32\sfxljtha.dll
2007-11-09 13:06 77,888 --a------ C:\WINDOWS\system32\qlbqxevx.dll
2007-11-09 12:05 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\AntiVir PersonalEdition Premium
2007-11-09 11:59 77,888 --a------ C:\WINDOWS\system32\jionqbmt.dll
2007-11-09 11:25 77,888 --a------ C:\WINDOWS\system32\wudnjfxr.dll
2007-11-09 09:43 77,888 --a------ C:\WINDOWS\system32\cichsaby.dll
2007-11-09 00:08 77,888 --a------ C:\WINDOWS\system32\jbtgrsit.dll
2007-11-08 21:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 21:49 80,448 --a------ C:\WINDOWS\system32\ngvhjuyl.dll
2007-11-08 20:40 80,448 --a------ C:\WINDOWS\system32\pglgubvb.dll
2007-11-08 16:10 80,448 --a------ C:\WINDOWS\system32\ipgbufea.dll
2007-11-08 15:48 80,448 --a------ C:\WINDOWS\system32\oigqbdrm.dll
2007-11-07 12:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-05 20:11 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\Grisoft
2007-11-05 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 20:11 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-05 19:14 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\DivX
2007-11-05 18:36 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-11-05 15:57 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-05 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-04 20:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-04 18:51 <DIR> d-------- C:\Program Files\QuickTime
2007-11-04 18:51 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-04 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-04 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 18:29 23 --a------ C:\WINDOWS\clofghls.dll
2007-11-04 17:00 <DIR> d-------- C:\Program Files\LizardTech
2007-11-02 22:04 <DIR> d-------- C:\Documents and Settings\WarMonkey\Incomplete
2007-11-02 22:04 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\LimeWire
2007-11-02 22:03 <DIR> d-------- C:\Program Files\LimeWire
2007-10-30 22:37 <DIR> d-------- C:\Program Files\FoundationStone 3.1
2007-10-30 21:31 <DIR> d-------- C:\WINDOWS\Sun
2007-10-30 21:29 <DIR> d-------- C:\Program Files\Java
2007-10-30 21:28 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-30 20:56 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\Dev-Cpp
2007-10-30 20:55 <DIR> d-------- C:\Dev-Cpp
2007-10-30 19:24 <DIR> d-------- C:\Program Files\Mario Forever
2007-10-30 19:19 <DIR> d-------- C:\Program Files\LittleFighter2
2007-10-30 18:24 <DIR> d-------- C:\Program Files\illiminable
2007-10-30 17:29 1,277 --a------ C:\WINDOWS\mozver.dat
2007-10-30 17:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-29 20:51 <DIR> d-------- C:\Program Files\Google
2007-10-27 20:13 <DIR> d-------- C:\Program Files\MusicMasterWorks
2007-10-27 20:01 348,160 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2007-10-27 15:54 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\BitTorrent
2007-10-26 20:22 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\gtk-2.0
2007-10-26 17:05 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-10-26 17:01 <DIR> d-------- C:\Program Files\World of Warcraft
2007-10-26 15:51 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-10-25 23:08 <DIR> d---s---- C:\Documents and Settings\WarMonkey\UserData
2007-10-25 18:39 <DIR> d-------- C:\Program Files\GoldWave
2007-10-25 16:35 <DIR> d-------- C:\Program Files\Opera 9.5 beta
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-23 07:13 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-10-23 07:01 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-22 22:50 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\OpenOffice.org2
2007-10-22 22:38 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2007-10-22 21:42 <DIR> d-------- C:\Program Files\Fraps
2007-10-22 21:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-22 18:10 <DIR> d-------- C:\Program Files\Cain
2007-10-21 23:34 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\.purple
2007-10-21 23:15 <DIR> d-------- C:\Program Files\Pidgin
2007-10-21 23:15 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-10-21 16:58 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-10-21 16:58 <DIR> d-------- C:\Program Files\HPQ
2007-10-21 10:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-21 10:40 <DIR> d-------- C:\Program Files\Microsoft Games
2007-10-21 10:37 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-10-20 23:36 <DIR> d-------- C:\swsetup
2007-10-20 23:36 <DIR> d-------- C:\Program Files\Synaptics
2007-10-20 23:36 201,856 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2007-10-20 23:36 196,608 --a------ C:\WINDOWS\system32\SynCtrl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 21:42 14,492 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-11 05:33 --------- d-----w C:\Documents and Settings\WarMonkey\Application Data\.purple
2007-11-09 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-11-09 16:34 --------- d-----w C:\Program Files\Avira
2007-10-26 22:41 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-20 22:22 --------- d-----w C:\Program Files\Opera
2007-10-20 18:29 --------- d-----w C:\Program Files\Broadcom
2007-10-20 18:22 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-20 00:56 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-10-20 00:56 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-10-20 00:56 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-10-20 00:56 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-09-11 06:55 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-09-06 23:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{612E024C-34BF-40DF-B328-CF55EF33F569}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71B55B28-995C-4A0C-870D-C8B46EFBD945}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 10:09]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 10:06]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 10:10]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 14:36]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 14:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"RegistryMechanic"="" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2007-11-09 09:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 07:16]

C:\Documents and Settings\WarMonkey\Start Menu\Programs\Startup\
Mozilla Thunderbird.lnk - C:\Program Files\Mozilla Thunderbird\thunderbird.exe [2007-11-09 14:26:34]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geebb.dll

R2 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe"
R2 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 21:47:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 14:46:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 14:49:25 - machine was rebooted
.
--- E O F ---

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 14 November 2007 - 04:30 PM

Sorry, I meant a new one.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 Yitzchak Ranjbar

Yitzchak Ranjbar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 17 November 2007 - 11:44 AM

ComboFix 07-11-08.1 - WarMonkey 2007-11-17 9:36:36.2 - NTFSx86
Running from: C:\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-16 22:19 <DIR> d-------- C:\Program Files\Phex_3.2.0.102
2007-11-16 22:19 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\Phex
2007-11-16 21:20 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\Cabos
2007-11-12 20:02 <DIR> dr------- C:\Documents and Settings\WarMonkey\Shared
2007-11-12 20:01 <DIR> d-------- C:\Program Files\Cabos
2007-11-12 12:07 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-11 18:42 <DIR> d-------- C:\Program Files\eMule
2007-11-11 17:44 <DIR> d-------- C:\Program Files\uTorrent
2007-11-11 17:44 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\uTorrent
2007-11-11 14:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 12:21 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\SiteAdvisor
2007-11-11 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-11 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-11 10:38 79,936 --a------ C:\WINDOWS\system32\ivagvqvj.dll
2007-11-11 10:33 <DIR> d-------- C:\VundoFix Backups
2007-11-10 20:15 <DIR> d-------- C:\Program Files\Roms
2007-11-10 20:07 <DIR> d-------- C:\Program Files\zsnesw142
2007-11-10 16:54 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\Uniblue
2007-11-10 08:24 85,056 --a------ C:\WINDOWS\system32\kvmcnxyl.dll
2007-11-09 20:21 1,718,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-09 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-09 20:16 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-09 20:16 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-11-09 20:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-09 17:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-09 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 14:26 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-11-09 14:26 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\Thunderbird
2007-11-09 12:05 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\AntiVir PersonalEdition Premium
2007-11-08 21:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 12:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-05 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 19:14 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\DivX
2007-11-05 18:36 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-11-05 15:57 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-05 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-04 20:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-04 18:51 <DIR> d-------- C:\Program Files\QuickTime
2007-11-04 18:51 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-04 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-04 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 18:29 23 --a------ C:\WINDOWS\clofghls.dll
2007-11-04 17:00 <DIR> d-------- C:\Program Files\LizardTech
2007-11-02 22:04 <DIR> d-------- C:\Documents and Settings\WarMonkey\Incomplete
2007-11-02 22:04 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\LimeWire
2007-10-30 22:37 <DIR> d-------- C:\Program Files\FoundationStone 3.1
2007-10-30 21:31 <DIR> d-------- C:\WINDOWS\Sun
2007-10-30 21:29 <DIR> d-------- C:\Program Files\Java
2007-10-30 21:28 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-30 20:56 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\Dev-Cpp
2007-10-30 20:55 <DIR> d-------- C:\Dev-Cpp
2007-10-30 19:24 <DIR> d-------- C:\Program Files\Mario Forever
2007-10-30 19:19 <DIR> d-------- C:\Program Files\LittleFighter2
2007-10-30 18:24 <DIR> d-------- C:\Program Files\illiminable
2007-10-30 17:29 1,277 --a------ C:\WINDOWS\mozver.dat
2007-10-30 17:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-29 20:51 <DIR> d-------- C:\Program Files\Google
2007-10-27 20:13 <DIR> d-------- C:\Program Files\MusicMasterWorks
2007-10-27 20:01 348,160 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2007-10-27 15:54 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\BitTorrent
2007-10-26 20:22 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\gtk-2.0
2007-10-26 17:05 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-10-26 17:01 <DIR> d-------- C:\Program Files\World of Warcraft
2007-10-26 15:51 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-10-25 23:08 <DIR> d---s---- C:\Documents and Settings\WarMonkey\UserData
2007-10-25 18:39 <DIR> d-------- C:\Program Files\GoldWave
2007-10-25 16:35 <DIR> d-------- C:\Program Files\Opera 9.5 beta
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-23 07:13 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-10-23 07:01 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-22 22:50 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\OpenOffice.org2
2007-10-22 22:38 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2007-10-22 21:42 <DIR> d-------- C:\Program Files\Fraps
2007-10-22 21:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-22 18:10 <DIR> d-------- C:\Program Files\Cain
2007-10-21 23:34 <DIR> d-------- C:\Documents and Settings\WarMonkey\Application Data\.purple
2007-10-21 23:15 <DIR> d-------- C:\Program Files\Pidgin
2007-10-21 23:15 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-10-21 16:58 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-10-21 16:58 <DIR> d-------- C:\Program Files\HPQ
2007-10-21 10:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-21 10:40 <DIR> d-------- C:\Program Files\Microsoft Games
2007-10-21 10:37 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-10-20 23:36 <DIR> d-------- C:\swsetup
2007-10-20 23:36 <DIR> d-------- C:\Program Files\Synaptics
2007-10-20 23:36 201,856 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2007-10-20 23:36 196,608 --a------ C:\WINDOWS\system32\SynCtrl.dll
2007-10-20 23:36 163,840 --a------ C:\WINDOWS\system32\SynCOM.dll
2007-10-20 23:36 143,360 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2007-10-20 23:36 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll
2007-10-20 23:17 <DIR> d-------- C:\Program Files\DivX
2007-10-20 14:50 <DIR> d-------- C:\Program Files\sXe Injected
2007-10-20 14:46 <DIR> d-------- C:\Program Files\Counter-Strike 1.6
2007-10-20 12:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-20 12:54 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-20 04:10 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-20 04:10 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-20 04:10 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-20 04:10 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-10-20 04:09 74,240 --a------ C:\WINDOWS\system32\usbui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 07:07 --------- d-----w C:\Documents and Settings\WarMonkey\Application Data\.purple
2007-11-17 00:55 19,460 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-09 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-11-09 16:34 --------- d-----w C:\Program Files\Avira
2007-10-26 22:41 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-20 22:22 --------- d-----w C:\Program Files\Opera
2007-10-20 18:29 --------- d-----w C:\Program Files\Broadcom
2007-10-20 18:22 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-20 00:56 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-10-20 00:56 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-10-20 00:56 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-10-20 00:56 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-09-11 06:55 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-09-06 23:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_14.47.32.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-28 05:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{612E024C-34BF-40DF-B328-CF55EF33F569}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71B55B28-995C-4A0C-870D-C8B46EFBD945}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 10:09]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 10:06]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 10:10]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 14:36]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 14:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"RegistryMechanic"="" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2007-11-09 09:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 07:16]

R2 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe"
R2 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 15:10:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 09:40:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 9:42:22
C:\ComboFix2.txt ... 2007-11-11 14:49
.
--- E O F ---

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 18 November 2007 - 02:35 PM

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Next, find and delete the following files (if present):

C:\WINDOWS\system32\ivagvqvj.dll
C:\WINDOWS\system32\kvmcnxyl.dll

Then reboot back into Normal Mode again.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

I'd like the Panda log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 Yitzchak Ranjbar

Yitzchak Ranjbar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 22 November 2007 - 05:17 PM

My internet was down for a while so this it took some time for me to respond.

Panda Activescan Log:


Incident Status Location

Hacktool:HackTool/Cain.C Not disinfected C:\Downloads\ca_setup.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Downloads\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Downloads\ComboFix.exe[nircmd.cfexe]
Hacktool:HackTool/Cain.D Not disinfected C:\Program Files\Cain\Cain.exe
Virus:Generic Malware Disinfected C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 23 November 2007 - 05:05 PM

The folder below needs to be deleted:

C:\Program Files\Cain

Then let me know how things are running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 Yitzchak Ranjbar

Yitzchak Ranjbar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 28 November 2007 - 01:10 AM

Everything seems to be going great! No detections at all.
Thanks a lot for the help, you just made my day :thumbsup:

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 28 November 2007 - 04:22 PM

You are of course very welcome for the help; I'm glad we got your problem sorted out. Great job!
Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Do not show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users