Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans Found On My System


  • Please log in to reply
11 replies to this topic

#1 josue

josue

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 17 November 2007 - 08:18 PM

there is my hijackthis log:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:58 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Documents and Settings\Gabriel Cardoso\Application Data\SurfAccuracy\SAcc.exe
C:\Documents and Settings\Gabriel Cardoso\Application Data\Microsoft\Windows\lbwmfvpw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.380.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [9DOeuw] C:\WINDOWS\slcec.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SurfAccuracy] C:\Documents and Settings\Gabriel Cardoso\Application Data\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [ReJf5vH] C:\Documents and Settings\Gabriel Cardoso\Application Data\Microsoft\Windows\lbwmfvpw.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4898 bytes

}|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||\



I hope someone could help me, thanks

BC AdBot (Login to Remove)

 


#2 josue

josue
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 20 November 2007 - 11:20 PM

:wacko: :thumbsup: :blink:

PLEASE SOMEONE HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#3 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 28 November 2007 - 12:00 PM

josue

Sorry for the delay.

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#4 josue

josue
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 28 November 2007 - 02:20 PM

There you go!!!!!!!!!!!!!!
And thaks so very much for you answer. :thumbsup:
__________________________________________________________________________________________________

ComboFix 07-11-29.1 - Gabriel Cardoso 2007-11-28 13:12:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.95 [GMT -6:00]
Running from: C:\Documents and Settings\Gabriel Cardoso\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 09:58 . 2007-11-28 09:58 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-27 20:18 . 2007-08-20 04:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-27 20:18 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-27 20:18 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-27 20:18 . 2007-08-20 04:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-27 20:18 . 2007-08-20 04:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-27 20:18 . 2007-08-20 04:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-27 20:18 . 2007-08-20 04:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-27 20:18 . 2007-08-20 04:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-27 20:18 . 2007-08-17 04:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-27 20:13 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-17 19:31 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-11-17 19:31 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-11-17 19:31 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-11-17 19:27 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-17 03:52 . 2007-11-17 03:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 03:49 . 2007-11-17 03:49 93 --a------ C:\WINDOWS\wininit.ini
2007-11-17 02:58 . 2007-11-17 03:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 02:46 . 2007-09-06 04:00 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-17 02:46 . 2007-09-06 04:05 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-17 02:46 . 2007-09-06 04:05 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-17 02:46 . 2007-09-06 04:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-17 02:46 . 2007-09-06 04:00 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-17 02:46 . 2007-09-06 04:03 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-17 02:45 . 2007-11-17 02:45 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-17 02:44 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-17 02:04 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-17 02:03 . 2007-11-17 02:03 <DIR> d-------- C:\WINDOWS\provisioning
2007-11-17 02:03 . 2007-11-17 02:03 <DIR> d-------- C:\WINDOWS\peernet
2007-11-17 02:03 . 2004-08-03 23:10 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-11-17 02:03 . 2004-08-04 00:56 44,032 --------- C:\WINDOWS\system32\twext.dll
2007-11-17 02:03 . 2004-08-04 00:56 32,866 --------- C:\WINDOWS\slrundll.exe
2007-11-17 02:03 . 2004-08-04 00:56 28,672 --------- C:\WINDOWS\system32\vidcap.ax
2007-11-17 02:03 . 2004-08-04 00:56 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2007-11-17 02:03 . 2004-08-04 00:56 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2007-11-17 02:03 . 2004-08-04 00:56 11,325 --------- C:\WINDOWS\system32\drivers\vchnt5.dll
2007-11-17 02:00 . 2007-11-17 02:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-17 01:54 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002219_.tmp
2007-11-17 01:50 . 2007-11-17 01:50 <DIR> d-------- C:\WINDOWS\EHome
2007-11-17 01:49 . 2007-11-17 01:52 <DIR> d-------- C:\Documents and Settings\Gabriel Cardoso\Application Data\SurfAccuracy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 07:05 --------- d-----w C:\Program Files\Symantec
2007-11-17 07:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-17 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2002-08-29 12:00 520,192 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 14:00]
"SurfAccuracy"="C:\Documents and Settings\Gabriel Cardoso\Application Data\SurfAccuracy\SAcc.exe" [2007-11-17 01:49]
"ReJf5vH"="C:\Documents and Settings\Gabriel Cardoso\Application Data\Microsoft\Windows\lbwmfvpw.exe" [2007-11-17 01:52]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bart Station"="C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe" [2005-06-27 13:03]
"9DOeuw"="C:\WINDOWS\slcec.exe" [2005-11-19 13:50]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 10:04]


*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 19:14:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 13:14:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 13:15:36
.
--- E O F ---
__________________________________________________________________________________________

#5 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 28 November 2007 - 04:01 PM

josue

You are most welcome.

You have a suspicious file I'd like to have a look at.

Please go HERE

Put Your Name, and Bleeping Computer HJT forum

and In the file to submit box, click Browse.Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the fileC:\WINDOWS\slcec.exe
In the comments tell them that I asked you to upload the file
Then Select Send File.

Once you send it, then reply. Thanks
Posted Image
Microsoft MVP - Windows Security

#6 josue

josue
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 28 November 2007 - 04:55 PM

I've uploaded the file (slcec.exe) for analysis

#7 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 28 November 2007 - 05:20 PM

josue

Got it. It's bad.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word code)
File::
C:\WINDOWS\slcec.exe
C:\Documents and Settings\Gabriel Cardoso\Application Data\Microsoft\Windows\lbwmfvpw.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ReJf5vH"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"9DOeuw"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#8 josue

josue
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 28 November 2007 - 06:06 PM

ComboFix 07-11-29.1 - Gabriel Cardoso 2007-11-29 16:42:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.66 [GMT -6:00]Running from: C:\Documents and Settings\Gabriel Cardoso\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gabriel Cardoso\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Gabriel Cardoso\Application Data\Microsoft\Windows\lbwmfvpw.exe
C:\WINDOWS\slcec.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Gabriel Cardoso\Application Data\Microsoft\Windows\lbwmfvpw.exe
C:\WINDOWS\slcec.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 09:58 . 2007-11-28 09:58 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-27 20:18 . 2007-08-20 04:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-27 20:18 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-27 20:18 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-27 20:18 . 2007-08-20 04:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-27 20:18 . 2007-08-20 04:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-27 20:18 . 2007-08-20 04:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-27 20:18 . 2007-08-20 04:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-27 20:18 . 2007-08-20 04:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-27 20:18 . 2007-08-17 04:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-27 20:13 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-17 19:31 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-11-17 19:31 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-11-17 19:31 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-11-17 19:27 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-17 03:52 . 2007-11-17 03:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 03:49 . 2007-11-17 03:49 93 --a------ C:\WINDOWS\wininit.ini
2007-11-17 02:58 . 2007-11-17 03:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 02:46 . 2007-09-06 04:00 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-17 02:46 . 2007-09-06 04:05 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-17 02:46 . 2007-09-06 04:05 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-17 02:46 . 2007-09-06 04:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-17 02:46 . 2007-09-06 04:00 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-17 02:46 . 2007-09-06 04:03 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-17 02:45 . 2007-11-17 02:45 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-17 02:44 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-17 02:04 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-17 02:03 . 2007-11-17 02:03 <DIR> d-------- C:\WINDOWS\provisioning
2007-11-17 02:03 . 2007-11-17 02:03 <DIR> d-------- C:\WINDOWS\peernet
2007-11-17 02:03 . 2004-08-03 23:10 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-11-17 02:03 . 2004-08-04 00:56 44,032 --------- C:\WINDOWS\system32\twext.dll
2007-11-17 02:03 . 2004-08-04 00:56 32,866 --------- C:\WINDOWS\slrundll.exe
2007-11-17 02:03 . 2004-08-04 00:56 28,672 --------- C:\WINDOWS\system32\vidcap.ax
2007-11-17 02:03 . 2004-08-04 00:56 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2007-11-17 02:03 . 2004-08-04 00:56 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2007-11-17 02:03 . 2004-08-04 00:56 11,325 --------- C:\WINDOWS\system32\drivers\vchnt5.dll
2007-11-17 02:00 . 2007-11-17 02:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-17 01:54 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002219_.tmp
2007-11-17 01:50 . 2007-11-17 01:50 <DIR> d-------- C:\WINDOWS\EHome
2007-11-17 01:49 . 2007-11-17 01:52 <DIR> d-------- C:\Documents and Settings\Gabriel Cardoso\Application Data\SurfAccuracy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 07:05 --------- d-----w C:\Program Files\Symantec
2007-11-17 07:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-17 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2002-08-29 12:00 520,192 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 14:00]
"SurfAccuracy"="C:\Documents and Settings\Gabriel Cardoso\Application Data\SurfAccuracy\SAcc.exe" [2007-11-17 01:49]
"ReJf5vH"="C:\Documents and Settings\Gabriel Cardoso\Application Data\Microsoft\Windows\lbwmfvpw.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bart Station"="C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe" [2005-06-27 13:03]
"9DOeuw"="C:\WINDOWS\slcec.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 10:04]


*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 19:14:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 16:44:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 16:45:42
C:\ComboFix2.txt ... 2007-11-29 13:15
.
--- E O F ---

#9 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 29 November 2007 - 10:08 AM

josue

Excellent

Could I see a fresh Hijackthis log?

And in you reply give me an update on how your PC is running now.
Posted Image
Microsoft MVP - Windows Security

#10 josue

josue
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 29 November 2007 - 11:14 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:42 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Gabriel Cardoso\Application Data\SurfAccuracy\SAcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SurfAccuracy] C:\Documents and Settings\Gabriel Cardoso\Application Data\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4900 bytes

#11 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 29 November 2007 - 11:38 AM

josue

Just one item to clean up

1. Rerun Hijackthis (scan only) and place checks beside the following entriesO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC. And you are there

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u3.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software

Use and maintain a Firewall There is a list HEREAll of which are free
Download and install SiteHound by Firetrust for protection against malicious websites.

Pick the version that matches your browser

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security

#12 josue

josue
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 29 November 2007 - 07:08 PM

thanks so much for your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users