Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was Infected With Virtumunde/winfixer


  • Please log in to reply
19 replies to this topic

#1 schale

schale

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 16 November 2007 - 12:54 PM

Im sure you all know how this virus behaves, but this virus got onto my computer from an add on cnn.com. It was one of those adds that when you mouse scroll over, you get a popup. I did not click anything on this page. The add popped up then started executing command prompts immediately. I then shutdown my cpu immediately. (using firefox btw)


Some strange behaviors of this virus are as follow:
1) In safe mode, the virus replicates itself and executes command files and installs programs in this mode
2) When directions for virus removal are followed below, the virus deleted these 3rd party free software programs such as hijackthis and spybotsd. I had to rename hijackthis.exe to scanner.exe as explained here by quietman7

Important: Some variants of vundo malware will hide certain entries in a hijackthis log to prevent detection so you need to rename HijackThis before using it.

* After installing HijackThis, open My Computer or Windows Explorer and navigate to the HijackThis Folder.
* Inside the folder, right-click on the HijackThis.exe file and rename it Scanner.exe.
* Double-click on Scanner.exe (which is still HijackThis) run a scan, save the logfile and copy/paste it into a new topic in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team

3) When I remove registry files that are associated with this file from antivirus scans, it will reappear as I am looking at the registry.
4) When I try combating this virus it will remove the start menu bar, icons, and desktop background and become a blank screen as if I turned off explorer.
5) It will also freeze the antivirus programs being run at that time.
6) There are random memory spikes from 4-100% out of nowhere.

It took several days to be able to post this hijack this log and I am very sorry if I misplaced it. I was trying to deal with this as it has set our server and office back this entire week.


Here are the procedures that our office took to try and remove this virus:

1) The virus then began to popup advertising and it also installed several fake antivirus programs on the desktop. I followed all instructions on your site located here. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

2) I then followed these directions.
http://www.bleepingcomputer.com/forums/t/18610/how-to-remove-winfixer-virtumonde-msevents-trojanvundob/

3) I also tried removing the virus with symantec virtumundo removal tool.

4) We use trend micro client server for smb on the server. This virus went right through this software. I spoke with trendmicro and they sent me some files to execute to remove this virus.

5) This software they sent did not work.

6) I was contacted this morning and did a browser sharing program with a technician and he spent a good 2.5 hours on my cpu trying to fix it. It appears that everything is working better now. I don't want to speak to soon but I am posting this hijackthis log in hopes that someone can analyze this log and let me know if it looks clean.

Once again, thanks bleepingcomputer.com for your help in advance. I really appreciate the time you guys take to help people when it isn't necessary. Your value is much appreciated. I apologize if I placed anything in the wrong spot. I thought I did everything correctly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:51 PM, on 11/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINNT\TEMP\KJDD77.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\Pop3Trap.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\SoftwareDistribution\Download\7faa20141bc4ad5220fecb127aa30d39\update\update.exe
C:\Documents and Settings\dante.cornish\Desktop\HijackThis.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Outlook Express Monitor.lnk = C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server01:4343/officescan/console/Cl...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class)
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) -
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsla.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsla.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mtsla.local
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

--
End of file - 5133 bytes

BC AdBot (Login to Remove)

 


#2 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 16 November 2007 - 03:54 PM

ttt

#3 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 19 November 2007 - 11:22 AM

Anyone?

#4 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 26 November 2007 - 09:00 AM

???

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 27 November 2007 - 11:53 AM

  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

#6 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 27 November 2007 - 05:05 PM

ComboFix 07-11-19.4 - xxxxxx 11/27/2007 16:38:47.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.281 [GMT -5:00]
Running from: \\server01\users\user.server\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\user~1.COR\FAVORI~1\Online Security Guide.lnk
C:\Documents and Settings\administrator.MTSLA\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\user.server\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINNT\system32\f1
C:\WINNT\system32\h2
C:\WINNT\system32\m1
C:\WINNT\system32\pac.txt
C:\WINNT\system32\q8
C:\WINNT\system32\r2
C:\WINNT\system32\r2\revdrive33b.exe
C:\WINNT\system32\tvmactdq.dllbox
C:\WINNT\system32\yamaztpq.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-26 15:50 1,156 --a------ C:\WINNT\mozver.dat
2007-11-26 13:19 <DIR> d-------- C:\Documents and Settings\user.server\.SunDownloadManager
2007-11-26 13:18 <DIR> d-------- C:\Program Files\SDM20
2007-11-26 11:54 106,544 --a------ C:\WINNT\SYSTEM32\TWEAKUI.CPL
2007-11-19 11:52 49,152 --a------ C:\WINNT\SYSTEM32\Defrag.exe
2007-11-19 10:11 380,957 --a------ C:\WINNT\SYSTEM32\expsrv.dll
2007-11-19 10:10 30,749 --a------ C:\WINNT\SYSTEM32\vbajet32.dll
2007-11-16 13:54 <DIR> d-------- C:\Program Files\MetaStream
2007-11-16 12:02 <DIR> d-------- C:\Program Files\Open Field Software
2007-11-16 10:50 <DIR> d-------- C:\Documents and Settings\user.server\Application Data\SUPERAntiSpyware.com
2007-11-16 10:50 <DIR> d-------- C:\DOCUME~1\user~1.COR\APPLIC~1\SUPERAntiSpyware.com
2007-11-16 09:08 <DIR> d-------- C:\Documents and Settings\user.server\Application Data\webex
2007-11-16 09:08 <DIR> d-------- C:\DOCUME~1\user~1.COR\APPLIC~1\webex
2007-11-16 09:08 51,304 --a------ C:\WINNT\SYSTEM32\DRIVERS\atnt40k.sys
2007-11-15 11:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-15 11:04 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\Application Data\SUPERAntiSpyware.com
2007-11-15 11:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-11-14 13:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-11-14 12:19 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\Application Data\Lavasoft
2007-11-14 12:09 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\Application Data\pdf995
2007-11-14 11:55 <DIR> d-------- C:\VundoFix Backups
2007-11-14 10:08 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\.java
2007-11-14 09:53 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\Application Data\Symantec
2007-11-14 09:49 <DIR> d---s---- C:\Documents and Settings\administrator.MTSLA\UserData
2007-11-13 12:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Aim
2007-11-13 09:19 <DIR> d-------- C:\WINNT\SYSTEM32\rMa02yy
2007-11-13 09:19 <DIR> d-------- C:\TEMP\abW9
2007-11-02 07:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 14:08 202,826 ----a-w C:\WINNT\SYSTEM32\atasnt40.dll
2007-10-30 21:24 154,840 ----a-w C:\Documents and Settings\user.server\Application Data\GDIPFONTCACHEV1.DAT
2007-10-30 21:24 154,840 ----a-w C:\DOCUME~1\user~1.COR\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-10-26 21:47 --------- d-----w C:\Program Files\Trend Micro
2007-10-26 20:55 --------- d-----w C:\Documents and Settings\administrator.MTSLA\Application Data\AVG7
2007-10-12 20:11 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2007-10-12 20:11 --------- d-----w C:\Documents and Settings\user.server\Application Data\AVG7
2007-10-12 20:11 --------- d-----w C:\DOCUME~1\user~1.COR\APPLIC~1\AVG7
2007-10-12 14:29 --------- d-----w C:\Program Files\uTorrent
2007-10-12 14:29 --------- d-----w C:\Documents and Settings\user.server\Application Data\uTorrent
2007-10-12 14:29 --------- d-----w C:\DOCUME~1\user~1.COR\APPLIC~1\uTorrent
2007-10-01 15:09 --------- d-----w C:\Documents and Settings\user.server\Application Data\tor
2007-10-01 15:09 --------- d-----w C:\DOCUME~1\user~1.COR\APPLIC~1\tor
2007-10-01 15:08 --------- d-----w C:\Program Files\Vidalia Bundle
2007-10-01 15:01 --------- d-----w C:\Program Files\Vidalia
2007-10-01 15:01 --------- d-----w C:\Documents and Settings\user.server\Application Data\Vidalia
2007-10-01 15:01 --------- d-----w C:\DOCUME~1\user~1.COR\APPLIC~1\Vidalia
2006-05-05 16:16 784 ----a-w C:\Documents and Settings\user.server\Application Data\mpauth.dat
2006-05-05 16:16 784 ----a-w C:\DOCUME~1\user~1.COR\APPLIC~1\mpauth.dat
2004-09-28 13:39 218,800 ----a-w C:\Documents and Settings\user.server\Application Data\tvmknwrd.dll
2004-09-28 13:39 218,800 ----a-w C:\DOCUME~1\user~1.COR\APPLIC~1\tvmknwrd.dll
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [07-08-26 02:02 ]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\SYSTEM32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [01-05-08 07:00 C:\WINNT\SYSTEM32\RUNDLL32.EXE]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [03-05-15 19:41 ]
"NvMediaCenter"="RUNDLL32.exe" [01-05-08 07:00 C:\WINNT\SYSTEM32\RUNDLL32.EXE]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [07-03-29 08:10 ]
"Tweak UI"="RUNDLL32.exe" [01-05-08 07:00 C:\WINNT\SYSTEM32\RUNDLL32.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" []

C:\Documents and Settings\user.server\Start Menu\Programs\Startup\
Outlook Express Monitor.lnk - C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe [2004-01-21 08:13:34]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22]
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 09:30:54]

C:\DOCUME~1\user~1.COR\STARTM~1\Programs\Startup\
Outlook Express Monitor.lnk - C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe [2004-01-21 08:13:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^administrator.MTSLA^Start Menu^Programs^Startup^Camio Viewer 3.2.lnk]
path=C:\Documents and Settings\administrator.MTSLA\Start Menu\Programs\Startup\Camio Viewer 3.2.lnk
backup=C:\WINNT\pss\Camio Viewer 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Camio Viewer 3.2.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Camio Viewer 3.2.lnk
backup=C:\WINNT\pss\Camio Viewer 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINNT\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINNT\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=C:\WINNT\pss\Microtek Scanner Finder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user.server^Start Menu^Programs^Startup^Camio Viewer 3.2.lnk]
path=C:\Documents and Settings\user.server\Start Menu\Programs\Startup\Camio Viewer 3.2.lnk
backup=C:\WINNT\pss\Camio Viewer 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user.server^Start Menu^Programs^Startup^Outlook Express Monitor.lnk]
path=C:\Documents and Settings\user.server\Start Menu\Programs\Startup\Outlook Express Monitor.lnk
backup=C:\WINNT\pss\Outlook Express Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\07d10cbe]
rundll32.exe C:\WINNT\system32\jqqebqmf.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
07-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Virus Update Scheduler]
C:\jp2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD50]
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe -r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWITOOLBOX]
C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe -i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
01-07-09 10:50 155648 --a------ C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
04-11-11 20:50 212992 --a------ C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG -off

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 IntelATA;Intel Ultra ATA Controller;C:\WINNT\system32\DRIVERS\IntelAta.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R1 cmosa;cmosa;C:\WINNT\system32\DRIVERS\cmosa.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
R2 tcaicchg;tcaicchg;\??\C:\WINNT\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 Mxlsv0n5;Mxlsv0n5;C:\WINNT\system32\SPRESTRT.EXE
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
S4 MsLS32;MsLS32;"C:\WINNT\MsLS32.exe"
S4 ptssvc;ptssvc;C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 16:45:01
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 16:49:09 - machine was rebooted


all usernames changed to user.server or user.


here is hijack this log.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:57 PM, on 11/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINNT\TEMP\SJ9022.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
C:\Program Files\Trend Micro\Client Server Security Agent\Pop3Trap.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\WINNT\system32\NOTEPAD.EXE
\server01\users\dante.cornish\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Outlook Express Monitor.lnk = C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server01:4343/officescan/console/Cl...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server01:4343/officescan/console/Cl...stall/setup.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1195480390484
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server01:4343/officescan/console/Cl.../RemoveCtrl.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://server01:4343/SMB/console/html/root/AtxEnc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsla.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsla.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mtsla.local
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

--
End of file - 5427 bytes


thanks in advance. no popups but the cpu is very slow now.

symtoms
1) when you click start or anything in firefox, it takes about 10 seconds for anything to respond. start menu doesn't come up for at least 10 secs to 5 mins.
2) when logging in, it takes at least 10-15 mins for ever icon and start menu to load. the start menu will load immediately, but all icons and programs take 10-15mins.
3) when typing it pauses and will freeze for about 10 seconds, then type some of the words
4) all programs or any buttons you can click have a delay reaction to them
5) when scrolling in firefox. it freezes, then will jump a bit. very slow, feels like dial up.
.

I ran through some windows 2000 optimization guides so the tweak ui file as well as shoot the messenger were added yesterday but it doesn't seem to speed anything up.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

I am sorry, I do not know what this is. I don't think I posted this.

Edited by schale, 27 November 2007 - 05:11 PM.


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 27 November 2007 - 05:25 PM

You definitely have some infections still here. Some of these are backdoors, which means that we can clean your computer, but ultimately we do not know what has been changed or not. You can either reinstall your computer to be completely safe or we can continue cleaning your computer.

If you wish to continue cleaning the computer, please do the following:

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\DOCUME~1\user~1.COR\APPLIC~1\tvmknwrd.dll
C:\WINNT\system32\jqqebqmf.dll
C:\jp2.exe

Folder::
C:\VundoFix Backups
C:\WINNT\SYSTEM32\rMa02yy
C:\TEMP\abW9

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\07d10cbe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Virus Update Scheduler]

Driver::
MsLS32


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#8 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 28 November 2007 - 09:11 AM

great thanks for the help. will try this and post results.

Ok as I am running this combofix I get several errors.


Here they are:

1) Error Saving File. C:/qoobox/Hiv-backup/software
Regkey save: 1450

2) Runs.dat: No such file or directory

3) 'Dump Hive' is not recognized as an internal or external command.

4) C:/Winnt/erdnt/subs/software Regkey Save: 1450

5) c:/Winnt/erdnt/subs/F3M/software Regkey Save: 1450


Don't know if this is relevant but it did it the first time as well.

Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:32 AM, on 11/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINNT\TEMP\MS5A97.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\Client Server Security Agent\Pop3Trap.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\notepad.exe
\server01\users\username\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Outlook Express Monitor.lnk = C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server01:4343/officescan/console/Cl...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server01:4343/officescan/console/Cl...stall/setup.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1195480390484
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server01:4343/officescan/console/Cl.../RemoveCtrl.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://server01:4343/SMB/console/html/root/AtxEnc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsla.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsla.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mtsla.local
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

--
End of file - 5213 bytes


going to post the combo fix soon.

Edited by schale, 28 November 2007 - 09:37 AM.


#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 28 November 2007 - 11:18 AM

I need you to also post the C:\combofix.txt log file.

#10 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 28 November 2007 - 11:37 AM

Grinler, sorry was in the process of doing the scan.

ComboFix 07-11-19.4 - user.server 11/28/2007 10:00:44.3 - FAT32x86
Running from: \\server01\users\user.server\Downloads\ComboFix.exe
Command switches used :: \\server01\users\user.server\Downloads\CFScript.txt

FILE
C:\DOCUME~1\user~1.COR\APPLIC~1\tvmknwrd.dll
C:\jp2.exe
C:\WINNT\system32\jqqebqmf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\user~1.COR\APPLIC~1\tvmknwrd.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-26 15:50 1,156 --a------ C:\WINNT\mozver.dat
2007-11-26 13:19 <DIR> d-------- C:\Documents and Settings\user.server\.SunDownloadManager
2007-11-26 13:18 <DIR> d-------- C:\Program Files\SDM20
2007-11-26 11:54 106,544 --a------ C:\WINNT\SYSTEM32\TWEAKUI.CPL
2007-11-19 11:52 49,152 --a------ C:\WINNT\SYSTEM32\Defrag.exe
2007-11-19 10:11 380,957 --a------ C:\WINNT\SYSTEM32\expsrv.dll
2007-11-19 10:10 30,749 --a------ C:\WINNT\SYSTEM32\vbajet32.dll
2007-11-16 13:54 <DIR> d-------- C:\Program Files\MetaStream
2007-11-16 12:02 <DIR> d-------- C:\Program Files\Open Field Software
2007-11-16 10:50 <DIR> d-------- C:\Documents and Settings\user.server\Application Data\SUPERAntiSpyware.com
2007-11-16 09:08 <DIR> d-------- C:\Documents and Settings\user.server\Application Data\webex
2007-11-16 09:08 51,304 --a------ C:\WINNT\SYSTEM32\DRIVERS\atnt40k.sys
2007-11-15 11:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-15 11:04 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\Application Data\SUPERAntiSpyware.com
2007-11-15 11:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-11-14 13:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-11-14 12:19 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\Application Data\Lavasoft
2007-11-14 12:09 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\Application Data\pdf995
2007-11-14 10:08 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\.java
2007-11-14 09:53 <DIR> d-------- C:\Documents and Settings\administrator.MTSLA\Application Data\Symantec
2007-11-14 09:49 <DIR> d---s---- C:\Documents and Settings\administrator.MTSLA\UserData
2007-11-13 12:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Aim
2007-11-02 07:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 14:08 202,826 ----a-w C:\WINNT\SYSTEM32\atasnt40.dll
2007-10-30 21:24 154,840 ----a-w C:\Documents and Settings\user.server\Application Data\GDIPFONTCACHEV1.DAT
2007-10-26 21:47 --------- d-----w C:\Program Files\Trend Micro
2007-10-26 20:55 --------- d-----w C:\Documents and Settings\administrator.MTSLA\Application Data\AVG7
2007-10-12 20:11 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2007-10-12 20:11 --------- d-----w C:\Documents and Settings\user.server\Application Data\AVG7
2007-10-12 14:29 --------- d-----w C:\Program Files\uTorrent
2007-10-12 14:29 --------- d-----w C:\Documents and Settings\user.server\Application Data\uTorrent
2007-10-01 15:09 --------- d-----w C:\Documents and Settings\user.server\Application Data\tor
2007-10-01 15:08 --------- d-----w C:\Program Files\Vidalia Bundle
2007-10-01 15:01 --------- d-----w C:\Program Files\Vidalia
2007-10-01 15:01 --------- d-----w C:\Documents and Settings\user.server\Application Data\Vidalia
2006-05-05 16:16 784 ----a-w C:\Documents and Settings\user.server\Application Data\mpauth.dat
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
.

((((((((((((((((((((((((((((( snapshot@Tue 2007-11-27_16.47.35.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 15:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
+ 2007-03-13 15:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\F3M\ERDNT.EXE
+ 2007-03-29 13:10:02 214,712 ----a-w C:\WINNT\Temp\SVC304.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\SYSTEM32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [01-05-08 07:00 C:\WINNT\SYSTEM32\RUNDLL32.EXE]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [03-05-15 19:41 ]
"NvMediaCenter"="RUNDLL32.exe" [01-05-08 07:00 C:\WINNT\SYSTEM32\RUNDLL32.EXE]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [07-03-29 08:10 ]
"Tweak UI"="RUNDLL32.exe" [01-05-08 07:00 C:\WINNT\SYSTEM32\RUNDLL32.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" []

C:\Documents and Settings\user.server\Start Menu\Programs\Startup\
Outlook Express Monitor.lnk - C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe [2004-01-21 08:13:34]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^administrator.MTSLA^Start Menu^Programs^Startup^Camio Viewer 3.2.lnk]
path=C:\Documents and Settings\administrator.MTSLA\Start Menu\Programs\Startup\Camio Viewer 3.2.lnk
backup=C:\WINNT\pss\Camio Viewer 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Camio Viewer 3.2.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Camio Viewer 3.2.lnk
backup=C:\WINNT\pss\Camio Viewer 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINNT\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINNT\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=C:\WINNT\pss\Microtek Scanner Finder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=C:\WINNT\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user.server^Start Menu^Programs^Startup^Camio Viewer 3.2.lnk]
path=C:\Documents and Settings\user.server\Start Menu\Programs\Startup\Camio Viewer 3.2.lnk
backup=C:\WINNT\pss\Camio Viewer 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user.server^Start Menu^Programs^Startup^Outlook Express Monitor.lnk]
path=C:\Documents and Settings\user.server\Start Menu\Programs\Startup\Outlook Express Monitor.lnk
backup=C:\WINNT\pss\Outlook Express Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
07-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD50]
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe -r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWITOOLBOX]
C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe -i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
01-07-09 10:50 155648 --a------ C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
04-11-11 20:50 212992 --a------ C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG -off

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
07-08-26 02:02 11852288 --a------ C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 IntelATA;Intel Ultra ATA Controller;C:\WINNT\system32\DRIVERS\IntelAta.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R1 cmosa;cmosa;C:\WINNT\system32\DRIVERS\cmosa.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
R2 tcaicchg;tcaicchg;\??\C:\WINNT\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 Mxlsv0n5;Mxlsv0n5;C:\WINNT\system32\SPRESTRT.EXE
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
S4 ptssvc;ptssvc;C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 11:17:15
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 11:29:09 - machine was rebooted
C:\ComboFix2.txt ... 07-11-28 09:29
C:\ComboFix3.txt ... 07-11-27 16:49
.
--- E O F ---


**One thing i forgot to mention. Defrag and some system tools are not working anymore. I had to take defgrag.exe off another cpu and paste it into the winnt folder.
Also, when i try and add/remove windows system files to try and fix any components, it has an error loading any files that add/remove these problems.

Edited by schale, 28 November 2007 - 11:40 AM.


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 28 November 2007 - 11:43 AM

Well the logs look clean now. When you said defrag didnt work, what do you mean? Do you get an error?

#12 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 28 November 2007 - 11:46 AM

defrag wasn't working. it said files couln'dt be found. i had to copy and paste the defrag.exe from another win2000 cpu. i found this in autoruns program looks strange.
also, the disk check wasnt' working either. it makes me use it at startup.

catchme.sys. anything wrong with this?


Thanks Grindler for the help. Is there something I can do to speed up this cpu? It has 70% free space on the hard drive. But still slow. Also, it will be operating at 5% and its still takes 5-10 mins to open programs.

Edited by schale, 28 November 2007 - 12:00 PM.


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 28 November 2007 - 12:40 PM

Let's check one last thing:

Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky report together with a fresh HijackThis log for review.

#14 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 29 November 2007 - 09:09 AM

I will run this now. I have kaspterky at home. Its solid!


Something weird is happening. All other websites work except windows update. Windows update won't load the page. The browser just freezes to where it won' t load anything. Blank frozen screen. Even when I click the icon or right click it in the system tray it won't do anything.

Edited by schale, 29 November 2007 - 09:11 AM.


#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 29 November 2007 - 12:45 PM

I do not think this is a malware related issue. let's do the online kaspersky report and we will focus on the updates after.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users