Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • This topic is locked This topic is locked
20 replies to this topic

#1 St. Ouens

St. Ouens

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 14 November 2007 - 05:54 AM

Hello
Tried Vundofix and Virtumondobegone before stepping through the pre log requirements..
So, I have run Ad-Aware and Spybot (both of which I had already); Ran HouseCall (which picked up Troj_Dloader.wap and Troj_vundo.dam; and ADW_FUNWEB.U) ; Ran Avast (which is my anti virus s/w); ran Avert Stinger. re-ran Spybot...now only but still showing 1 Virtumonde instance (previously 5) and no MySearch.

Here's hoping........
P.S> have now uninstalled limewire which my teenager recently added.

Hijack this log as requested below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:10 p.m., on 14/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
D:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lmuqtjtc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Xtra Help Assistant\bin\McciTrayApp.exe
C:\WINDOWS\system32\asrsvc.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Garmin\gStart.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
D:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aanet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [tcnzTrayApp] "C:\Program Files\Xtra Help Assistant\bin\McciTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\d.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [844ef200] rundll32.exe "C:\WINDOWS\system32\ucfstchm.dll",b
O4 - HKCU\..\Run: [MilShieldSlave] "C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] D:\Garmin\gStart.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011
O4 - Startup: 12Ghosts Wash.lnk = D:\Program Files\12Ghosts\12wash.exe
O4 - Global Startup: Xtra Help Assistant.lnk = C:\Program Files\Xtra Help Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://aanet
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB908637-8150-44C1-8F10-68C849CE89F6}: NameServer = 202.27.158.40 202.27.156.72
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MilShieldCleaner - Unknown owner - C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe

--
End of file - 6677 bytes

Edited by St. Ouens, 14 November 2007 - 05:56 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 14 November 2007 - 04:29 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum St. Ouens :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Click Start/Control Panel/Add or Remove Programs and remove MyWebSearch,then restart your pc.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 St. Ouens

St. Ouens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 15 November 2007 - 02:10 AM

Hi RitchieUK and hey thanks for your help.
I have done as you asked and provide the logs below - first Combofix

ComboFix 07-11-08.3 - Mark 2007-11-15 19:45:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.822 [GMT 13:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Mark\Application Data\FunWebProducts
C:\Documents and Settings\Mark\Application Data\FunWebProducts\Data\Mark\avatar.dat
C:\Documents and Settings\Mark\Application Data\FunWebProducts\Data\Mark\register.dat
C:\Documents and Settings\Mark\Favorites\Online Security Guide.lnk
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn-new.htmlx
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\ihbrwosk.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\vzqltgfi.dllbox
C:\WINDOWS\SYSTEM32\yybeg.bak1
C:\WINDOWS\SYSTEM32\yybeg.bak2
C:\WINDOWS\SYSTEM32\yybeg.ini
C:\WINDOWS\SYSTEM32\yybeg.ini2
C:\WINDOWS\SYSTEM32\yybeg.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_SFSYNC02
-------\DomainService
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 19:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 19:38 71,232 --a------ C:\WINDOWS\SYSTEM32\obchaaht.exe
2007-11-15 19:35 86,080 --a------ C:\WINDOWS\SYSTEM32\gwnwtwdx.dll
2007-11-15 19:22 79,936 --a------ C:\WINDOWS\SYSTEM32\urtuenut.dll
2007-11-15 19:19 71,232 --a------ C:\WINDOWS\SYSTEM32\sutvcvfe.exe
2007-11-15 06:16 79,424 --a------ C:\WINDOWS\SYSTEM32\vnahfkob.dll
2007-11-15 06:13 71,232 --a------ C:\WINDOWS\SYSTEM32\pkcthstl.exe
2007-11-14 23:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-14 16:17 80,448 --a------ C:\WINDOWS\SYSTEM32\iliucohy.dll
2007-11-14 16:14 71,232 --a------ C:\WINDOWS\SYSTEM32\sgmtqekw.exe
2007-11-13 20:23 <DIR> d-------- C:\Documents and Settings\Mark\.housecall6.6
2007-11-13 16:23 81,472 --a------ C:\WINDOWS\SYSTEM32\ggsfmunq.dll
2007-11-13 16:14 71,232 --a------ C:\WINDOWS\SYSTEM32\ssyafgwu.exe
2007-11-13 16:11 81,472 --a------ C:\WINDOWS\SYSTEM32\drfsrtqq.dll
2007-11-13 09:27 81,472 --a------ C:\WINDOWS\SYSTEM32\pwyddxtd.dll
2007-11-13 09:21 71,232 --a------ C:\WINDOWS\SYSTEM32\lmuqtjtc.exe
2007-11-12 18:26 81,472 --a------ C:\WINDOWS\SYSTEM32\kkkssibm.dll
2007-11-12 18:17 71,232 --a------ C:\WINDOWS\SYSTEM32\xsnnnacm.exe
2007-11-12 17:32 79,936 --a------ C:\WINDOWS\SYSTEM32\opkkvcet.dll
2007-11-12 17:23 71,232 --a------ C:\WINDOWS\SYSTEM32\hmepqduc.exe
2007-11-12 17:20 79,936 --a------ C:\WINDOWS\SYSTEM32\fycphaku.dll
2007-11-12 07:27 79,936 --a------ C:\WINDOWS\SYSTEM32\uwvaeoon.dll
2007-11-12 07:21 71,232 --a------ C:\WINDOWS\SYSTEM32\ksswesbj.exe
2007-11-12 07:18 79,936 --a------ C:\WINDOWS\SYSTEM32\qrvedsgb.dll
2007-11-11 14:37 81,472 --a------ C:\WINDOWS\SYSTEM32\rcjgieem.dll
2007-11-11 14:29 71,232 --a------ C:\WINDOWS\SYSTEM32\hcruvsph.exe
2007-11-11 14:26 81,472 --a------ C:\WINDOWS\SYSTEM32\wdjqrpbr.dll
2007-11-11 08:58 81,472 --a------ C:\WINDOWS\SYSTEM32\jpdxdagm.dll
2007-11-11 08:55 71,232 --a------ C:\WINDOWS\SYSTEM32\ejnuhrul.exe
2007-11-10 22:57 81,472 --a------ C:\WINDOWS\SYSTEM32\neddnriy.dll
2007-11-10 22:48 71,232 --a------ C:\WINDOWS\SYSTEM32\gsghsudv.exe
2007-11-10 22:42 81,472 --a------ C:\WINDOWS\SYSTEM32\ilieypth.dll
2007-11-10 19:05 71,232 --a------ C:\WINDOWS\SYSTEM32\pvekkyfn.exe
2007-11-10 19:02 81,472 --a------ C:\WINDOWS\SYSTEM32\tomdksuj.dll
2007-11-10 10:01 77,888 --a------ C:\WINDOWS\SYSTEM32\plljbwqa.dll
2007-11-10 09:55 71,232 --a------ C:\WINDOWS\SYSTEM32\knpsbuqa.exe
2007-11-10 07:46 88,128 --a------ C:\WINDOWS\SYSTEM32\lejhqfwq.dll
2007-11-10 07:46 77,888 --a------ C:\WINDOWS\SYSTEM32\slkgojxg.dll
2007-11-10 07:43 71,232 --a------ C:\WINDOWS\SYSTEM32\jgdytwpa.exe
2007-11-10 07:37 77,888 --a------ C:\WINDOWS\SYSTEM32\skstwqhj.dll
2007-11-09 08:28 80,448 --a------ C:\WINDOWS\SYSTEM32\aeagmnnn.dll
2007-11-09 08:19 71,232 --a------ C:\WINDOWS\SYSTEM32\ejfiiuak.exe
2007-11-08 20:47 <DIR> d-------- C:\Documents and Settings\Mark\Shared
2007-11-08 20:47 <DIR> d-------- C:\Documents and Settings\Mark\Incomplete
2007-11-08 20:47 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\LimeWire
2007-11-08 20:46 <DIR> d-------- C:\Program Files\LimeWire
2007-11-08 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-08 19:44 <DIR> d-------- C:\Program Files\iPod
2007-11-08 17:05 79,936 --a------ C:\WINDOWS\SYSTEM32\wdnbreke.dll
2007-11-08 16:59 71,232 --a------ C:\WINDOWS\SYSTEM32\owakqllv.exe
2007-11-08 16:56 79,936 --a------ C:\WINDOWS\SYSTEM32\xhdbnqme.dll
2007-11-08 11:26 79,936 --a------ C:\WINDOWS\SYSTEM32\jvpwvyca.dll
2007-11-08 11:20 71,232 --a------ C:\WINDOWS\SYSTEM32\hlsuimof.exe
2007-11-08 08:27 <DIR> d-------- C:\VundoFix Backups
2007-11-08 07:46 79,936 --a------ C:\WINDOWS\SYSTEM32\ubafhjgm.dll
2007-11-08 07:40 71,232 --a------ C:\WINDOWS\SYSTEM32\iktfyunk.exe
2007-11-07 07:35 81,472 --a------ C:\WINDOWS\SYSTEM32\oispcmfl.dll
2007-11-07 07:31 145,984 --a------ C:\WINDOWS\SYSTEM32\wacqwyib.dll
2007-11-07 07:28 71,232 --a------ C:\WINDOWS\SYSTEM32\pjrrivlb.exe
2007-11-07 07:25 81,472 --a------ C:\WINDOWS\SYSTEM32\twevexod.dll
2007-11-06 07:33 83,008 --a------ C:\WINDOWS\SYSTEM32\tydkyshr.dll
2007-11-05 21:41 83,008 --a------ C:\WINDOWS\SYSTEM32\jtlmvaor.dll
2007-11-05 21:27 85,568 --a------ C:\WINDOWS\SYSTEM32\lwtowpgo.dll
2007-11-05 21:27 83,008 --a------ C:\WINDOWS\SYSTEM32\sryfnsxr.dll
2007-11-05 21:21 83,008 --a------ C:\WINDOWS\SYSTEM32\ysfqolys.dll
2007-11-05 19:53 83,008 --a------ C:\WINDOWS\SYSTEM32\pasnmjle.dll
2007-11-05 19:44 83,008 --a------ C:\WINDOWS\SYSTEM32\piwjxcob.dll
2007-11-05 08:18 78,912 --a------ C:\WINDOWS\SYSTEM32\jlivxpct.dll
2007-11-04 21:59 78,912 --a------ C:\WINDOWS\SYSTEM32\rripkidh.dll
2007-11-03 21:53 81,472 --a------ C:\WINDOWS\SYSTEM32\pcokfxsy.dll
2007-11-03 16:08 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-03 14:26 33,280 --a------ C:\WINDOWS\SYSTEM32\urqqqol.dll
2007-11-03 14:07 33,280 --a------ C:\WINDOWS\SYSTEM32\yayvsqn.dll
2007-11-03 12:30 33,280 --a------ C:\WINDOWS\SYSTEM32\efcyyvu.dll
2007-11-03 12:17 33,280 --a------ C:\WINDOWS\SYSTEM32\khfgdbb.dll
2007-11-01 08:38 33,280 --a------ C:\WINDOWS\SYSTEM32\iifdecy.dll
2007-10-31 18:49 10,752 -rahs---- C:\WINDOWS\SYSTEM32\asrsvc.exe
2007-10-29 07:15 <DIR> d-------- C:\Documents and Settings\Mark\ini
2007-10-29 07:15 <DIR> d-------- C:\Documents and Settings\Mark\data
2007-10-29 07:15 <DIR> d-------- C:\Documents and Settings\Mark\ani
2007-10-29 07:15 991,232 --a------ C:\Documents and Settings\Mark\Conquer.exe
2007-10-29 07:15 122,880 --a------ C:\Documents and Settings\Mark\Chat.dll
2007-10-29 07:15 114,688 --a------ C:\Documents and Settings\Mark\RoleView.dll
2007-10-29 07:15 102,400 --a------ C:\Documents and Settings\Mark\GameData.dll
2007-10-29 07:15 4 --a------ C:\Documents and Settings\Mark\version.dat
2007-10-29 06:58 <DIR> d-------- C:\Program Files\Conquer 2.0
2007-10-29 06:57 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\InstallShield
2007-10-28 20:44 <DIR> d-------- C:\Program Files\BitComet
2007-10-27 09:21 <DIR> d-------- C:\Program Files\TryMedia
2007-10-27 09:21 <DIR> d-------- C:\Program Files\Anarchy
2007-10-26 20:54 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-10-26 20:53 <DIR> d-------- C:\Program Files\AgeOfCastles_at

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 06:40 --------- d-----w C:\Program Files\Java
2007-11-14 06:07 --------- d-----w C:\Program Files\MSN Messenger
2007-11-08 06:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-06 18:18 --------- d-----w C:\Program Files\Google
2007-11-03 03:08 --------- d-----w C:\Program Files\Common Files\Real
2007-11-03 03:06 --------- d-----w C:\Program Files\Real
2007-10-28 17:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-05 01:03 --------- d-----w C:\Program Files\Activision
2007-09-22 22:22 --------- d-----w C:\Program Files\Electronic Arts
2007-09-03 07:26 64,872 -c--a-w C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2006-11-24 21:51 146 ----a-w C:\Program Files\UninstAP.wsu
2003-10-13 07:42 1,766,362 -c--a-w C:\Program Files\powergee.exe
2003-06-06 23:01 27 -c--a-w C:\Program Files\CUSTDATA.INI
2003-06-02 02:54 179 -c--a-w C:\Program Files\34490.12g
2003-06-02 01:47 1,672,778 -c--a-w C:\Program Files\12popup.exe
2002-01-16 01:46 134 ------w C:\Program Files\Wolapi.ini
2002-01-16 00:34 185,344 ------w C:\Program Files\PATCHW32.DLL
2002-01-15 22:27 286,796 ------w C:\Program Files\WOLAPI.dll
2001-11-29 18:53 73,728 ------w C:\Program Files\UnstllAP.exe
2001-11-29 18:53 118,784 ------w C:\Program Files\UninstAP.exe
2001-11-29 18:45 1,656 ------w C:\Program Files\UninstAP.loc
2001-10-25 01:18 65,536 ------w C:\Program Files\REGISTER.EXE
2001-10-22 22:52 73,728 ------w C:\Program Files\WOLBrowser.dll
2000-08-15 03:52 605 ------w C:\Program Files\NL.cfg
2000-08-15 03:52 39,608 ------w C:\Program Files\LAUNCHER.BMP
2000-08-15 03:52 37,742 ------w C:\Program Files\Wolapi.war
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91dd0c96-eca4-4861-a4ca-143f65f124be}]
2007-11-15 19:22 79936 --a------ C:\WINDOWS\system32\urtuenut.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-06-15 22:20]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-06-15 22:20]
"DiskeeperSystray"="D:\Program Files\Diskeeper\DkIcon.exe" [2006-10-04 12:38]
"tcnzTrayApp"="C:\Program Files\Xtra Help Assistant\bin\McciTrayApp.exe" [2007-04-11 18:30]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06]
"Application Layer Services"="asrsvc.exe" [2007-10-31 05:48 C:\WINDOWS\SYSTEM32\asrsvc.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-03 16:06]
"QuickTime Task"="D:\program files\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"844ef200"="C:\WINDOWS\system32\gwnwtwdx.dll" [2007-11-15 19:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MilShieldSlave"="C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe" [2007-01-23 22:28]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:56]
"gStart"="D:\Garmin\gStart.exe" [2007-03-05 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SWHelper"="C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Xtra Help Assistant.lnk - C:\Program Files\Xtra Help Assistant\bin\matcli.exe [2007-06-28 12:02:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyy.dll
"Notification Packages"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^12Ghosts Popup-Killer.lnk]
backup=C:\WINDOWS\pss\12Ghosts Popup-Killer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^12Ghosts Tower.lnk]
backup=C:\WINDOWS\pss\12Ghosts Tower.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIAGENT]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MilShieldSlave]
"C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe" -logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\razer]
C:\Program Files\Razer\Copperhead\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"vsmon"=3 (0x3)
"SDPASVC"=2 (0x2)
"NVSvc"=2 (0x2)
"MilShieldCleaner"=2 (0x2)
"Diskeeper"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)

R3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
S1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys
S3 AgilentUSBCam;E-Video DC-350 USB Camera;C:\WINDOWS\system32\DRIVERS\Atusbcam.sys
S3 jfdcd;jfdcd;\??\C:\DOCUME~1\Mark\LOCALS~1\Temp\jfdcd.sys
S3 PentaxUsb;PENTAX Optio E10 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
S3 PentaxVc;PENTAX Optio E10 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
S4 SDPASVC;SDPAUMS server service;C:\WINDOWS\System32\sdpasvc.exe -service

.
Contents of the 'Scheduled Tasks' folder
"2007-11-12 02:48:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 19:56:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 19:58:36 - machine was rebooted
.
--- E O F ---

AND NOW HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:01 p.m., on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
D:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Xtra Help Assistant\bin\McciTrayApp.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\asrsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Garmin\gStart.exe
D:\Program Files\12Ghosts\12wash.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aanet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {eb421f56-f341-ac4a-1684-4ace69c0dd19} - {91dd0c96-eca4-4861-a4ca-143f65f124be} - C:\WINDOWS\system32\urtuenut.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [tcnzTrayApp] "C:\Program Files\Xtra Help Assistant\bin\McciTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [844ef200] rundll32.exe "C:\WINDOWS\system32\gwnwtwdx.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MilShieldSlave] "C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] D:\Garmin\gStart.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011
O4 - Startup: 12Ghosts Wash.lnk = D:\Program Files\12Ghosts\12wash.exe
O4 - Global Startup: Xtra Help Assistant.lnk = C:\Program Files\Xtra Help Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://aanet
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MilShieldCleaner - Unknown owner - C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe

--
End of file - 7288 bytes

I wonder how on earth lesser mortals get through this? :thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 15 November 2007 - 09:04 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SYSTEM32\obchaaht.exe
C:\WINDOWS\SYSTEM32\gwnwtwdx.dll
C:\WINDOWS\SYSTEM32\urtuenut.dll
C:\WINDOWS\SYSTEM32\sutvcvfe.exe
C:\WINDOWS\SYSTEM32\vnahfkob.dll
C:\WINDOWS\SYSTEM32\pkcthstl.exe
C:\WINDOWS\SYSTEM32\iliucohy.dll
C:\WINDOWS\SYSTEM32\sgmtqekw.exe
C:\WINDOWS\SYSTEM32\ggsfmunq.dll
C:\WINDOWS\SYSTEM32\ssyafgwu.exe
C:\WINDOWS\SYSTEM32\drfsrtqq.dll
C:\WINDOWS\SYSTEM32\pwyddxtd.dll
C:\WINDOWS\SYSTEM32\lmuqtjtc.exe
C:\WINDOWS\SYSTEM32\kkkssibm.dll
C:\WINDOWS\SYSTEM32\xsnnnacm.exe
C:\WINDOWS\SYSTEM32\opkkvcet.dll
C:\WINDOWS\SYSTEM32\hmepqduc.exe
C:\WINDOWS\SYSTEM32\fycphaku.dll
C:\WINDOWS\SYSTEM32\uwvaeoon.dll
C:\WINDOWS\SYSTEM32\ksswesbj.exe
C:\WINDOWS\SYSTEM32\qrvedsgb.dll
C:\WINDOWS\SYSTEM32\rcjgieem.dll
C:\WINDOWS\SYSTEM32\hcruvsph.exe
C:\WINDOWS\SYSTEM32\wdjqrpbr.dll
C:\WINDOWS\SYSTEM32\jpdxdagm.dll
C:\WINDOWS\SYSTEM32\ejnuhrul.exe
C:\WINDOWS\SYSTEM32\neddnriy.dll
C:\WINDOWS\SYSTEM32\gsghsudv.exe
C:\WINDOWS\SYSTEM32\ilieypth.dll
C:\WINDOWS\SYSTEM32\pvekkyfn.exe
C:\WINDOWS\SYSTEM32\tomdksuj.dll
C:\WINDOWS\SYSTEM32\plljbwqa.dll
C:\WINDOWS\SYSTEM32\knpsbuqa.exe
C:\WINDOWS\SYSTEM32\lejhqfwq.dll
C:\WINDOWS\SYSTEM32\slkgojxg.dll
C:\WINDOWS\SYSTEM32\jgdytwpa.exe
C:\WINDOWS\SYSTEM32\skstwqhj.dll
C:\WINDOWS\SYSTEM32\aeagmnnn.dll
C:\WINDOWS\SYSTEM32\ejfiiuak.exe
C:\WINDOWS\SYSTEM32\wdnbreke.dll
C:\WINDOWS\SYSTEM32\owakqllv.exe
C:\WINDOWS\SYSTEM32\xhdbnqme.dll
C:\WINDOWS\SYSTEM32\jvpwvyca.dll
C:\WINDOWS\SYSTEM32\hlsuimof.exe
C:\WINDOWS\SYSTEM32\ubafhjgm.dll
C:\WINDOWS\SYSTEM32\iktfyunk.exe
C:\WINDOWS\SYSTEM32\oispcmfl.dll
C:\WINDOWS\SYSTEM32\wacqwyib.dll
C:\WINDOWS\SYSTEM32\pjrrivlb.exe
C:\WINDOWS\SYSTEM32\twevexod.dll
C:\WINDOWS\SYSTEM32\tydkyshr.dll
C:\WINDOWS\SYSTEM32\jtlmvaor.dll
C:\WINDOWS\SYSTEM32\lwtowpgo.dll
C:\WINDOWS\SYSTEM32\sryfnsxr.dll
C:\WINDOWS\SYSTEM32\ysfqolys.dll
C:\WINDOWS\SYSTEM32\pasnmjle.dll
C:\WINDOWS\SYSTEM32\piwjxcob.dll
C:\WINDOWS\SYSTEM32\jlivxpct.dll
C:\WINDOWS\SYSTEM32\rripkidh.dll
C:\WINDOWS\SYSTEM32\pcokfxsy.dll
C:\WINDOWS\SYSTEM32\urqqqol.dll
C:\WINDOWS\SYSTEM32\yayvsqn.dll
C:\WINDOWS\SYSTEM32\efcyyvu.dll
C:\WINDOWS\SYSTEM32\khfgdbb.dll
C:\WINDOWS\SYSTEM32\iifdecy.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91dd0c96-eca4-4861-a4ca-143f65f124be}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"844ef200"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
Driver::
jfdcd

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 St. Ouens

St. Ouens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 15 November 2007 - 02:01 PM

Hi RichieUK

As per your instructions...system rebooted, I entered password and a series of messages came up first of which was
regt.cfexe - Application error
failed to initialize properly (0cx0000005) click OK to terminate

I waited to see if Combo.fix would do anything (window sitting in background) ...and then eventually clicked OK. Message repeated several times then Combofix moved on a tad until same message received for
Find.exe
tree.com
regedit.exe

clicked OK and eventually log produced (see below)
ran hijackthis (abc.bat) and log provided at bottom

hope this is OK

ComboFix 07-11-08.3 - Mark 2007-11-16 7:36:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.835 [GMT 13:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\aeagmnnn.dll
C:\WINDOWS\SYSTEM32\drfsrtqq.dll
C:\WINDOWS\SYSTEM32\efcyyvu.dll
C:\WINDOWS\SYSTEM32\ejfiiuak.exe
C:\WINDOWS\SYSTEM32\ejnuhrul.exe
C:\WINDOWS\SYSTEM32\fycphaku.dll
C:\WINDOWS\SYSTEM32\ggsfmunq.dll
C:\WINDOWS\SYSTEM32\gsghsudv.exe
C:\WINDOWS\SYSTEM32\gwnwtwdx.dll
C:\WINDOWS\SYSTEM32\hcruvsph.exe
C:\WINDOWS\SYSTEM32\hlsuimof.exe
C:\WINDOWS\SYSTEM32\hmepqduc.exe
C:\WINDOWS\SYSTEM32\iifdecy.dll
C:\WINDOWS\SYSTEM32\iktfyunk.exe
C:\WINDOWS\SYSTEM32\ilieypth.dll
C:\WINDOWS\SYSTEM32\iliucohy.dll
C:\WINDOWS\SYSTEM32\jgdytwpa.exe
C:\WINDOWS\SYSTEM32\jlivxpct.dll
C:\WINDOWS\SYSTEM32\jpdxdagm.dll
C:\WINDOWS\SYSTEM32\jtlmvaor.dll
C:\WINDOWS\SYSTEM32\jvpwvyca.dll
C:\WINDOWS\SYSTEM32\khfgdbb.dll
C:\WINDOWS\SYSTEM32\kkkssibm.dll
C:\WINDOWS\SYSTEM32\knpsbuqa.exe
C:\WINDOWS\SYSTEM32\ksswesbj.exe
C:\WINDOWS\SYSTEM32\lejhqfwq.dll
C:\WINDOWS\SYSTEM32\lmuqtjtc.exe
C:\WINDOWS\SYSTEM32\lwtowpgo.dll
C:\WINDOWS\SYSTEM32\neddnriy.dll
C:\WINDOWS\SYSTEM32\obchaaht.exe
C:\WINDOWS\SYSTEM32\oispcmfl.dll
C:\WINDOWS\SYSTEM32\opkkvcet.dll
C:\WINDOWS\SYSTEM32\owakqllv.exe
C:\WINDOWS\SYSTEM32\pasnmjle.dll
C:\WINDOWS\SYSTEM32\pcokfxsy.dll
C:\WINDOWS\SYSTEM32\piwjxcob.dll
C:\WINDOWS\SYSTEM32\pjrrivlb.exe
C:\WINDOWS\SYSTEM32\pkcthstl.exe
C:\WINDOWS\SYSTEM32\plljbwqa.dll
C:\WINDOWS\SYSTEM32\pvekkyfn.exe
C:\WINDOWS\SYSTEM32\pwyddxtd.dll
C:\WINDOWS\SYSTEM32\qrvedsgb.dll
C:\WINDOWS\SYSTEM32\rcjgieem.dll
C:\WINDOWS\SYSTEM32\rripkidh.dll
C:\WINDOWS\SYSTEM32\sgmtqekw.exe
C:\WINDOWS\SYSTEM32\skstwqhj.dll
C:\WINDOWS\SYSTEM32\slkgojxg.dll
C:\WINDOWS\SYSTEM32\sryfnsxr.dll
C:\WINDOWS\SYSTEM32\ssyafgwu.exe
C:\WINDOWS\SYSTEM32\sutvcvfe.exe
C:\WINDOWS\SYSTEM32\tomdksuj.dll
C:\WINDOWS\SYSTEM32\twevexod.dll
C:\WINDOWS\SYSTEM32\tydkyshr.dll
C:\WINDOWS\SYSTEM32\ubafhjgm.dll
C:\WINDOWS\SYSTEM32\urqqqol.dll
C:\WINDOWS\SYSTEM32\urtuenut.dll
C:\WINDOWS\SYSTEM32\uwvaeoon.dll
C:\WINDOWS\SYSTEM32\vnahfkob.dll
C:\WINDOWS\SYSTEM32\wacqwyib.dll
C:\WINDOWS\SYSTEM32\wdjqrpbr.dll
C:\WINDOWS\SYSTEM32\wdnbreke.dll
C:\WINDOWS\SYSTEM32\xhdbnqme.dll
C:\WINDOWS\SYSTEM32\xsnnnacm.exe
C:\WINDOWS\SYSTEM32\yayvsqn.dll
C:\WINDOWS\SYSTEM32\ysfqolys.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\aeagmnnn.dll
C:\WINDOWS\SYSTEM32\drfsrtqq.dll
C:\WINDOWS\SYSTEM32\efcyyvu.dll
C:\WINDOWS\SYSTEM32\ejfiiuak.exe
C:\WINDOWS\SYSTEM32\ejnuhrul.exe
C:\WINDOWS\SYSTEM32\fycphaku.dll
C:\WINDOWS\SYSTEM32\ggsfmunq.dll
C:\WINDOWS\SYSTEM32\gsghsudv.exe
C:\WINDOWS\SYSTEM32\gwnwtwdx.dll
C:\WINDOWS\SYSTEM32\hcruvsph.exe
C:\WINDOWS\SYSTEM32\hlsuimof.exe
C:\WINDOWS\SYSTEM32\hmepqduc.exe
C:\WINDOWS\SYSTEM32\iifdecy.dll
C:\WINDOWS\SYSTEM32\iktfyunk.exe
C:\WINDOWS\SYSTEM32\ilieypth.dll
C:\WINDOWS\SYSTEM32\iliucohy.dll
C:\WINDOWS\SYSTEM32\jgdytwpa.exe
C:\WINDOWS\SYSTEM32\jlivxpct.dll
C:\WINDOWS\SYSTEM32\jpdxdagm.dll
C:\WINDOWS\SYSTEM32\jtlmvaor.dll
C:\WINDOWS\SYSTEM32\jvpwvyca.dll
C:\WINDOWS\SYSTEM32\khfgdbb.dll
C:\WINDOWS\SYSTEM32\kkkssibm.dll
C:\WINDOWS\SYSTEM32\knpsbuqa.exe
C:\WINDOWS\SYSTEM32\ksswesbj.exe
C:\WINDOWS\SYSTEM32\lejhqfwq.dll
C:\WINDOWS\SYSTEM32\lmuqtjtc.exe
C:\WINDOWS\SYSTEM32\lwtowpgo.dll
C:\WINDOWS\SYSTEM32\neddnriy.dll
C:\WINDOWS\SYSTEM32\obchaaht.exe
C:\WINDOWS\SYSTEM32\oispcmfl.dll
C:\WINDOWS\SYSTEM32\opkkvcet.dll
C:\WINDOWS\SYSTEM32\owakqllv.exe
C:\WINDOWS\SYSTEM32\pasnmjle.dll
C:\WINDOWS\SYSTEM32\pcokfxsy.dll
C:\WINDOWS\SYSTEM32\piwjxcob.dll
C:\WINDOWS\SYSTEM32\pjrrivlb.exe
C:\WINDOWS\SYSTEM32\pkcthstl.exe
C:\WINDOWS\SYSTEM32\plljbwqa.dll
C:\WINDOWS\SYSTEM32\pvekkyfn.exe
C:\WINDOWS\SYSTEM32\pwyddxtd.dll
C:\WINDOWS\SYSTEM32\qrvedsgb.dll
C:\WINDOWS\SYSTEM32\rcjgieem.dll
C:\WINDOWS\SYSTEM32\rripkidh.dll
C:\WINDOWS\SYSTEM32\sgmtqekw.exe
C:\WINDOWS\SYSTEM32\skstwqhj.dll
C:\WINDOWS\SYSTEM32\slkgojxg.dll
C:\WINDOWS\SYSTEM32\sryfnsxr.dll
C:\WINDOWS\SYSTEM32\ssyafgwu.exe
C:\WINDOWS\SYSTEM32\sutvcvfe.exe
C:\WINDOWS\SYSTEM32\tomdksuj.dll
C:\WINDOWS\SYSTEM32\twevexod.dll
C:\WINDOWS\SYSTEM32\tydkyshr.dll
C:\WINDOWS\SYSTEM32\ubafhjgm.dll
C:\WINDOWS\SYSTEM32\urqqqol.dll
C:\WINDOWS\SYSTEM32\urtuenut.dll
C:\WINDOWS\SYSTEM32\uwvaeoon.dll
C:\WINDOWS\SYSTEM32\vnahfkob.dll
C:\WINDOWS\SYSTEM32\wacqwyib.dll
C:\WINDOWS\SYSTEM32\wdjqrpbr.dll
C:\WINDOWS\SYSTEM32\wdnbreke.dll
C:\WINDOWS\SYSTEM32\xhdbnqme.dll
C:\WINDOWS\SYSTEM32\xsnnnacm.exe
C:\WINDOWS\SYSTEM32\yayvsqn.dll
C:\WINDOWS\SYSTEM32\ysfqolys.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_JFDCD
-------\jfdcd


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 19:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 23:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 20:23 <DIR> d-------- C:\Documents and Settings\Mark\.housecall6.6
2007-11-08 20:47 <DIR> d-------- C:\Documents and Settings\Mark\Shared
2007-11-08 20:47 <DIR> d-------- C:\Documents and Settings\Mark\Incomplete
2007-11-08 20:47 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\LimeWire
2007-11-08 20:46 <DIR> d-------- C:\Program Files\LimeWire
2007-11-08 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-08 19:44 <DIR> d-------- C:\Program Files\iPod
2007-11-08 08:27 <DIR> d-------- C:\VundoFix Backups
2007-11-03 16:08 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-31 18:49 10,752 -rahs---- C:\WINDOWS\SYSTEM32\asrsvc.exe
2007-10-29 07:15 <DIR> d-------- C:\Documents and Settings\Mark\ini
2007-10-29 07:15 <DIR> d-------- C:\Documents and Settings\Mark\data
2007-10-29 07:15 <DIR> d-------- C:\Documents and Settings\Mark\ani
2007-10-29 07:15 991,232 --a------ C:\Documents and Settings\Mark\Conquer.exe
2007-10-29 07:15 122,880 --a------ C:\Documents and Settings\Mark\Chat.dll
2007-10-29 07:15 114,688 --a------ C:\Documents and Settings\Mark\RoleView.dll
2007-10-29 07:15 102,400 --a------ C:\Documents and Settings\Mark\GameData.dll
2007-10-29 07:15 4 --a------ C:\Documents and Settings\Mark\version.dat
2007-10-29 06:58 <DIR> d-------- C:\Program Files\Conquer 2.0
2007-10-29 06:57 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\InstallShield
2007-10-28 20:44 <DIR> d-------- C:\Program Files\BitComet
2007-10-27 09:21 <DIR> d-------- C:\Program Files\TryMedia
2007-10-26 20:54 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-10-26 20:53 <DIR> d-------- C:\Program Files\AgeOfCastles_at

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 07:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-15 06:40 --------- d-----w C:\Program Files\Java
2007-11-14 06:07 --------- d-----w C:\Program Files\MSN Messenger
2007-11-08 06:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-06 18:18 --------- d-----w C:\Program Files\Google
2007-11-03 03:08 --------- d-----w C:\Program Files\Common Files\Real
2007-11-03 03:06 --------- d-----w C:\Program Files\Real
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-05 01:03 --------- d-----w C:\Program Files\Activision
2007-09-25 22:59 43,520 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2007-09-22 22:22 --------- d-----w C:\Program Files\Electronic Arts
2007-09-08 22:29 26,112 ----a-w C:\WINDOWS\SYSTEM32\GENMIDI.DLL
2007-09-08 22:29 14,848 ----a-w C:\WINDOWS\SYSTEM32\MIDIFILE.DLL
2007-09-03 07:26 64,872 -c--a-w C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2006-11-24 21:51 146 ----a-w C:\Program Files\UninstAP.wsu
2003-10-13 07:42 1,766,362 -c--a-w C:\Program Files\powergee.exe
2003-06-06 23:01 27 -c--a-w C:\Program Files\CUSTDATA.INI
2003-06-02 02:54 179 -c--a-w C:\Program Files\34490.12g
2003-06-02 01:47 1,672,778 -c--a-w C:\Program Files\12popup.exe
2002-01-16 01:46 134 ------w C:\Program Files\Wolapi.ini
2002-01-16 00:34 185,344 ------w C:\Program Files\PATCHW32.DLL
2002-01-15 22:27 286,796 ------w C:\Program Files\WOLAPI.dll
2001-11-29 18:53 73,728 ------w C:\Program Files\UnstllAP.exe
2001-11-29 18:53 118,784 ------w C:\Program Files\UninstAP.exe
2001-11-29 18:45 1,656 ------w C:\Program Files\UninstAP.loc
2001-10-25 01:18 65,536 ------w C:\Program Files\REGISTER.EXE
2001-10-22 22:52 73,728 ------w C:\Program Files\WOLBrowser.dll
2000-08-15 03:52 605 ------w C:\Program Files\NL.cfg
2000-08-15 03:52 39,608 ------w C:\Program Files\LAUNCHER.BMP
2000-08-15 03:52 37,742 ------w C:\Program Files\Wolapi.war
.

((((((((((((((((((((((((((((( snapshot@2007-11-15_19.57.41.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-15 06:33:42 51,932 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-11-15 18:44:49 51,932 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-11-15 06:33:42 338,258 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-11-15 18:44:49 338,258 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-11-15 18:40:44 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_56c.dat
+ 2007-11-15 18:40:50 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_73c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-06-15 22:20]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-06-15 22:20]
"DiskeeperSystray"="D:\Program Files\Diskeeper\DkIcon.exe" [2006-10-04 12:38]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06]
"Application Layer Services"="asrsvc.exe" [2007-10-31 05:48 C:\WINDOWS\SYSTEM32\asrsvc.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-03 16:06]
"QuickTime Task"="D:\program files\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MilShieldSlave"="C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe" [2007-01-23 22:28]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:56]
"gStart"="D:\Garmin\gStart.exe" [2007-03-05 00:08]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SWHelper"="C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^12Ghosts Popup-Killer.lnk]
backup=C:\WINDOWS\pss\12Ghosts Popup-Killer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^12Ghosts Tower.lnk]
backup=C:\WINDOWS\pss\12Ghosts Tower.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIAGENT]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MilShieldSlave]
"C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe" -logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\razer]
C:\Program Files\Razer\Copperhead\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"vsmon"=3 (0x3)
"SDPASVC"=2 (0x2)
"NVSvc"=2 (0x2)
"MilShieldCleaner"=2 (0x2)
"Diskeeper"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)

R3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
S1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys
S3 AgilentUSBCam;E-Video DC-350 USB Camera;C:\WINDOWS\system32\DRIVERS\Atusbcam.sys
S3 PentaxUsb;PENTAX Optio E10 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
S3 PentaxVc;PENTAX Optio E10 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-12 02:48:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 07:51:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 7:52:34 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 19:58
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:42 a.m., on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
D:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\asrsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Garmin\gStart.exe
D:\Program Files\12Ghosts\12wash.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aanet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MilShieldSlave] "C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] D:\Garmin\gStart.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011
O4 - Startup: 12Ghosts Wash.lnk = D:\Program Files\12Ghosts\12wash.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://aanet
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MilShieldCleaner - Unknown owner - C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe

--
End of file - 6480 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 15 November 2007 - 02:53 PM

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Copy and paste the contents of that report in your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 St. Ouens

St. Ouens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 16 November 2007 - 02:45 AM

Hi Richie

I'm having trouble invoking Activescan so I'm going to post the SuperAntiSpyware log separately now.
(Activescan is suggesting a relaunch)

Hey, I really appreciate what you're doing. How do I contribute?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/16/2007 at 08:21 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:03:52

Memory items scanned : 409
Memory threats detected : 0
Registry items scanned : 6376
Registry threats detected : 0
File items scanned : 58120
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Magnus\Cookies\magnus@bs.serving-sys[1].txt
C:\Documents and Settings\Magnus\Cookies\magnus@serving-sys[2].txt
C:\Documents and Settings\Magnus\Cookies\magnus@tripod[1].txt
C:\Documents and Settings\Magnus\Cookies\magnus@windowsmedia[1].txt

#8 St. Ouens

St. Ouens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 16 November 2007 - 02:56 AM

Hi Richie
Unfortunately can't get Panda site to work..error mesages follow. Tried 4 times so far.

Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... Try again

I'll log out and run Hijack anyway
Mark

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 16 November 2007 - 04:31 AM

Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan programs and documents'
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'

Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.
Posted Image
Posted Image

#10 St. Ouens

St. Ouens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 16 November 2007 - 12:49 PM

Hi Richie
Here's the F Secure Report
Mark


Scanning Report
Saturday, November 17, 2007 01:04:59 - 06:46:26

Computer name: D78FF61S
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
Result: 6 malware found
Backdoor.Win32.IRCBot.ans (virus)

* C:\WINDOWS\SYSTEM32\asrsvc.exe (Renamed & Submitted)
* C:\Documents and Settings\Mark\.housecall6.6\Quarantine\image25(1).zip.bac_a00980 (Renamed & Submitted)
* C:\Documents and Settings\Mark\.housecall6.6\Quarantine\image25.zip.bac_a00980 (Renamed & Submitted)

Vundo.gen38 (virus)

* C:\WINDOWS\SYSTEM32\aaseptek.ini (Submitted)
* C:\WINDOWS\SYSTEM32\lljyhfrf.ini (Submitted)
* C:\WINDOWS\SYSTEM32\qwfqhjel.ini (Submitted)

Statistics
Scanned:

* Files: 269136
* System: 5352
* Not scanned: 248

Actions:

* Disinfected: 0
* Renamed: 3
* Deleted: 0
* None: 3
* Submitted: 6

Files not scanned:

* �s2��IBERFIL.SYS C:\PAGEFILE.SYS
* C:\WINDOWS\MEMORY.DMP
* C:\WINDOWS\TEMP\PERFLIB_PERFDATA_558.DAT
* C:\WINDOWS\TEMP\PERFLIB_PERFDATA_734.DAT
* C:\WINDOWS\TEMP\_AVAST4_\WEBSHLOCK.TXT
* C:\WINDOWS\SYSTEM32\BIOS1.ROM
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
* C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
* C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
* C:\WINDOWS\.MPR_FILE_STORE_32\MAIN_FILE_CACHE.DAT
* C:\WINDOWS\.MPR_FILE_STORE_32\VANHAT\MAIN_FILE_CACHE.DAT
* C:\WINDOWS\.FILE_STORE_32\MAIN_FILE_CACHE.DAT
* C:\WINDOWS\.FILE_STORE_32\RUNESCAPE\MAIN_FILE_CACHE.DAT2
* C:\PROGRAM FILES\MOPARSCAPE\HYBRIDSCAPE\DATA\SELLABLE.DAT
* C:\PROGRAM FILES\MOPARSCAPE\HYBRIDSCAPE\DATA\TRADEABLE.DAT
* C:\PROGRAM FILES\MOPARSCAPE\HYBRIDSCAPE\DATA\TWOHANDED.DAT
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA8\PHOTOALBUM\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA8\EXPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA8\CHARACTERS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA7\PHOTOALBUM\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA7\EXPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA7\CHARACTERS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA6\PHOTOALBUM\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA6\EXPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA6\CHARACTERS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\PHOTOALBUM\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\IMPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\EXPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\TEMPLATEUSERDATA\PHOTOALBUM\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\TEMPLATEUSERDATA\EXPORT\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\TEMPLATEUSERDATA\CHARACTERS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\SCENARIO.TDS
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\WALLS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\USEROBJECTS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\SKINS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\FLOORS\_
* C:\PROGRAM FILES\MAXIS\THE SIMS\DOWNLOADS\_
* C:\PROGRAM FILES\INSTALLSHIELD INSTALLATION INFORMATION\{AECEF61B-4916-4E54-9ED5-6F4CBDAE2048}\SETUP.ILG
* C:\PROGRAM FILES\INSTALLSHIELD INSTALLATION INFORMATION\{467C31E0-4A6E-11D5-B200-0000B4BA8CAF}\SETUP.ILG
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\SNOWMAN\SNOWMAN1.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\ITEM\CH-TREE04-01.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\ITEM\CH-TREE04-02.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\ITEM\CH-TREE06-01.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\ITEM\CH-TREE06-02.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\HOUSE\NH03-01.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\HOUSE\NH03-02.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\HOUSE\NH03-03.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\HOUSE\NH04-01.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\HOUSE\NH04-02.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\HOUSE\NH04-03.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\HOUSE\NH04-04.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\HOUSE\NH04-05.MSK
* C:\PROGRAM FILES\CONQUER 2.0\DATA\MAP\SCENE\HOUSE\NH04-06.MSK
* C:\I386\BIOS1.ROM
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\MARK\NTUSER.DAT
* C:\DOCG'�YM�s2(��ACKUP\AUTOMATIC BACKUP[17].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[18].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[19].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[1].RMBD:\PROGRA�LS�s2�� MECHANIC\BACKUP\AUTOMATIC BACKUP[20].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[21].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[22].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[23].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[24].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[25].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[2].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[3].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[4].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[5].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[6].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[7].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[8].RMBD:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[9].RMBD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32110.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32111.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32112.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32113.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32114.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32115.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32116.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32117.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32118.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32119.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32120.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32121.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32161.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32162.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32163.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32165.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32166.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32168.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32169.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32170.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32171.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32172.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32173.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32174.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32175.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32176.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32177.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32179.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32180.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32181.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32182.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32183.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32184.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32185.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32186.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32187.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32188.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32189.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32190.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32191.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32192.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32193.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32194.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32195.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32196.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32197.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32198.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32199.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32201.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32202.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32203.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32204.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32205.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32206.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32207.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32208.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32209.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32210.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32212.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32213.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32214.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32215.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32216.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32217.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32218.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32219.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32220.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32221.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32222.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32223.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32224.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32225.STRD:\PROGRAM FILES\MICROSOFT KIDS\MSB RAINFOREST\SYSTEM\USER\BD32226.STRD:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA8\PHOTOALBUM\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA8\EXPORT\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA8\CHARACTERS\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA7\PHOTOALBUM\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA7\EXPORT\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA7\CHARACTERS\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA6\PHOTOALBUM\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA6\EXPORT\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA6\CHARACTERS\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\PHOTOALBUM\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\IMPORT\_D:\PROGRAM FILES\MAXIS\THE SIMS\USERDATA\EXPORT\_D:\PROGRAM FILES\MAXIS\THE SIMS\TEMPLATEUSERDATA\PHOTOALBUM\_D:\PROGRAM FILES\MAXIS\THE SIMS\TEMPLATEUSERDATA\EXPORT\_D:\PROGRAM FILES\MAXIS\THE SIMS\TEMPLATEUSERDATA\CHARACTERS\_D:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\SCENARIO.TDSD:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\WALLS\_D:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\USEROBJECTS\_D:\PROGRAM FILES\MAXIS\THE SIMS\GAMEDATA\FLOORS\_D:\PROGRAM FILES\MAXIS\THE SIMS\DOWNLOADS\_ D:\MY PICTURES\MY PICTURES\CHILDREN\ELEANOR\MODELLING\MODEL 3.JPGD:\MY PICTURES\MY PICTURES\CHILDREN\ELEANOR\MODELLING\MODEL6.JPGD:\MY PICTURES\MY PICTURES\CHILDREN\ELEANOR\MODELLING\MODEL7.JPGdata\map\scene\house\Nh03-01.MSKdata\map\scene\house\Nh03-02.MSKdata\map\scene\house\Nh03-03.MSKdata\map\scene\house\Nh04-01.MSKdata\map\scene\house\Nh04-02.MSKdata\map\scene\house\Nh04-03.MSKdata\map\scene\house\Nh04-04.MSKdata\map\scene\house\Nh04-05.MSKdata\map\scene\house\Nh04-06.MSKD:\GAMES\CONQUER\DATA\MAP\SCENE\HOUSE\NH03-01.MSKD:\GAMES\CONQUER\DATA\MAP\SCENE\HOUSE\NH03-02.MSK

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-11-15
* F-Secure AVP: 7.0.171, 2007-11-16
* F-Secure Orion: 1.2.37, 2007-11-16
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0597-150-72
* F-Secure Pegasus: 1.19.0, 2007-10-15

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 16 November 2007 - 01:18 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\SYSTEM32\aaseptek.ini
C:\WINDOWS\SYSTEM32\lljyhfrf.ini
C:\WINDOWS\SYSTEM32\qwfqhjel.ini

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#12 St. Ouens

St. Ouens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 16 November 2007 - 01:29 PM

Move It Results below
I'll close out of browsers and run hijack and post results in next log
Mark


C:\WINDOWS\SYSTEM32\aaseptek.ini moved successfully.
C:\WINDOWS\SYSTEM32\lljyhfrf.ini moved successfully.
C:\WINDOWS\SYSTEM32\qwfqhjel.ini moved successfully.

Created on 11/17/2007 07:27:42

#13 St. Ouens

St. Ouens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 16 November 2007 - 01:35 PM

Hi Richie

HijackThis Log shown below

PC seems to be running OK i.e. no evidence of earlier pop ups associated with Virtumonde

If we're getting close, then can you add indicate recommended anti malware programmes I should have if other than current ad-aware, spybot and avast. we've used a whole suite of programmes that are new to me. :thumbsup:
Mark


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:38 a.m., on 17/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
D:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\asrsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Garmin\gStart.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\12Ghosts\12wash.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\Program Files\Thomson\SpeedTouch USB\stdialup.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aanet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MilShieldSlave] "C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] D:\Garmin\gStart.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011
O4 - Startup: 12Ghosts Wash.lnk = D:\Program Files\12Ghosts\12wash.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://aanet
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MilShieldCleaner - Unknown owner - C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe

--
End of file - 6589 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 16 November 2007 - 01:40 PM

Enable the viewing of hidden files and folders,reverse the process when you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

I need you to do the following if you will:

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\asrsvc.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\asrsvc.exe
Then click on 'Send File'.
Post the results into your next reply.
Posted Image
Posted Image

#15 St. Ouens

St. Ouens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 16 November 2007 - 02:12 PM

here you go - can you read the results OK - formatting is not easy

the file you asked me to browse only showed up with .0xe suffix not .exe




Service load:
0% 100%
File: asrsvc.0xe
Status:
INFECTED/MALWARE
MD5: 676a5cf6d42e78f3aaa4aec108879530
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 16 Nov 2007 19:05:33 (GMT)
A-Squared
Found Backdoor.Win32.IRCBot.ans
AntiVir
Found TR/Crypt.ULPM.Gen
ArcaVir
Found Trojan.Ircbot.Ans
Avast
Found nothing
AVG Antivirus
Found BackDoor.Ircbot.BYX
BitDefender
Found Trojan.Peed.Gen
ClamAV
Found Trojan.IRCBot-1226
CPsecure
Found BackDoor.W32.IRCBot.ans
Dr.Web
Found BackDoor.IRC.Tiny
F-Prot Antivirus
Found Possibly a new variant of W32/Threat-HLLSI-based!Maximus
F-Secure Anti-Virus
Found IM-Worm:W32/Opanki.BU, Backdoor.Win32.IRCBot.ans
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Backdoor.Win32.IRCBot.ans
NOD32
Found Win32/IRCBot.AAE
Norman Virus Control
Found W32/Malware.BETA
Panda Antivirus
Found W32/MSNWorm.AW.worm
Rising Antivirus
Found nothing
Sophos Antivirus
Found Mal/HckPk-A
VirusBuster
Found Backdoor.IRCBot.BJI
VBA32
Found Backdoor.Win32.IRCBot.ans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users