Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Mult. Infections, Cant Get Rid Of Them...help

  • Please log in to reply
3 replies to this topic

#1 hawg42


  • Members
  • 6 posts
  • Local time:01:59 PM

Posted 10 November 2007 - 12:29 PM

Here is a copy of my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:57 AM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070725
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070725
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] -"C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\Robs\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186174274281
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Autodesk Licensing Service - Unknown owner - -"C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe" (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (file missing)
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - -"C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe" (file missing)
O23 - Service: NBService - Unknown owner - -C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Unknown owner - -C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Unknown owner - -C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe" (file missing)

End of file - 8026 bytes

any advise would be great.


BC AdBot (Login to Remove)



#2 RichieUK


    Malware Assassin

  • Malware Response Team
  • 13,614 posts
  • Local time:09:59 PM

Posted 11 November 2007 - 07:49 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum hawg42 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 hawg42

  • Topic Starter

  • Members
  • 6 posts
  • Local time:01:59 PM

Posted 12 November 2007 - 11:58 AM


ComboFix 07-11-08.3 - Robs 2007-11-12 9:49:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1380 [GMT -7:00]
Running from: C:\Documents and Settings\Robs\Desktop\ComboFix.exe
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))

2007-11-12 09:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 09:44 <DIR> d-------- C:\Program Files\Sun
2007-11-12 09:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-09 09:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-09 09:33 <DIR> d-------- C:\Documents and Settings\Robs\Application Data\SUPERAntiSpyware.com
2007-11-09 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-09 09:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 08:32 <DIR> d-------- C:\Temp
2007-11-08 08:30 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-11-06 11:51 <DIR> d-------- C:\WINDOWS\LocalSSL
2007-11-06 11:50 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-06 11:50 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2007-11-06 11:50 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2007-11-06 11:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 11:43 208 --ah----- C:\aaw7boot.cmd
2007-11-06 08:16 <DIR> d-------- C:\Program Files\Microsoft CAPICOM
2007-11-05 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-05 15:53 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2007-11-05 15:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-05 14:14 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-05 12:29 <DIR> d-------- C:\Program Files\WinZix
2007-11-05 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\part dead amok eggs
2007-11-01 10:17 <DIR> d-------- C:\Program Files\Netflix
2007-10-16 12:54 <DIR> d-------- C:\Program Files\PokerStars
2007-10-13 15:40 <DIR> d-------- C:\Program Files\Sportsbook Poker

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-11-12 16:43 --------- d-----w C:\Program Files\Java
2007-11-12 16:38 --------- d-----w C:\Documents and Settings\Robs\Application Data\Azureus
2007-11-10 18:53 --------- d-----w C:\Program Files\Google
2007-11-10 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-06 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-06 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 00:15 --------- d-----w C:\Program Files\DAEMON Tools Pro
2007-11-03 03:28 --------- d-----w C:\Program Files\CarbonPoker
2007-10-31 05:22 --------- d-----w C:\Documents and Settings\Robs\Application Data\Ahead
2007-10-03 22:23 --------- d-----w C:\Program Files\XoftSpySE
2007-10-01 16:07 --------- d-----w C:\Program Files\Electronic Arts
2007-09-28 16:38 --------- d-----w C:\Documents and Settings\Robs\Application Data\Apple Computer
2007-09-18 09:31 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-18 09:31 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-18 09:31 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-18 09:31 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-18 09:31 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 02:31]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-30 22:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Directory Opus Desktop Dblclk"="-C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

"Microsoft Updates"=svehost.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 05:43:54]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 16:28:28]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-07-25 01:05:39]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 17:01:04]

"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll [2007-06-08 14:03 694024]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 guardian2;guardian2;C:\WINDOWS\system32\Drivers\oz776.sys
S2 NvNdis;NVIDIA NDIS IO Control Driver;\??\C:\WINDOWS\system32\Drivers\NvNdis.sys

Contents of the 'Scheduled Tasks' folder
"2007-10-31 19:14:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-12 16:53:01 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-09-20 15:17:12 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 09:53:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2007-11-12 9:54:18 - machine was rebooted
--- E O F ---

#4 RichieUK


    Malware Assassin

  • Malware Response Team
  • 13,614 posts
  • Local time:09:59 PM

Posted 12 November 2007 - 04:37 PM

Please disable Spybot S&Dís protection,or it will interfere.
You can enable it later once you're system is clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:

Click Start/Control Panel/Add or Remove Programs and remove WinZix if present,then restart your pc.

Please download OTMoveIt by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\WinZix
C:\Documents and Settings\All Users\Application Data\part dead amok eggs

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Also post a new Hijackthis log please.

Posted Image
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users