Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cutwail G


  • Please log in to reply
15 replies to this topic

#1 Pam Poff

Pam Poff

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 26 November 2007 - 01:09 PM

I have followed your instructions the best I can. I have CA spyware protection that was installed after the infection of the computer and it could not remove this virus. I need some help to know what files to remove. Here is the logfile from hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:44 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novastarrealestate.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {6D7C3C19-C1B4-4975-1A87-93C99B7A7DDC} - C:\Program Files\Common Files\lavum.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8D47E650-D873-4B42-997F-5A8E3F92AF10} - C:\WINDOWS\System32\nnnop.dll (file missing)
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mskvtns.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [horyjyr] C:\Program Files\WindowsUpdate\horyjyr22011.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: TypeItIn.lnk = C:\Program Files\TypeItIn\TypeItIn.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193421590941
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demo.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O20 - Winlogon Notify: ljjifcb - ljjifcb.dll (file missing)
O21 - SSODL: ecRdHj - {A02A915D-0A80-3BF7-698B-F84A99AB4B80} - C:\WINDOWS\System32\zqfe.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\profsyb.html

--
End of file - 8197 bytes

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 09 December 2007 - 01:09 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Thank you for your patience.

#3 Pam Poff

Pam Poff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 09 December 2007 - 10:00 PM

Random/random
Here is a new hijackthis log as you requested. Pam Poff
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:39 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novastarrealestate.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {6D7C3C19-C1B4-4975-1A87-93C99B7A7DDC} - C:\Program Files\Common Files\lavum.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8D47E650-D873-4B42-997F-5A8E3F92AF10} - C:\WINDOWS\System32\nnnop.dll (file missing)
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mspoolg.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [horyjyr] C:\Program Files\WindowsUpdate\horyjyr22011.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: TypeItIn.lnk = C:\Program Files\TypeItIn\TypeItIn.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193421590941
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demo.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O20 - Winlogon Notify: ljjifcb - ljjifcb.dll (file missing)
O21 - SSODL: ecRdHj - {A02A915D-0A80-3BF7-698B-F84A99AB4B80} - C:\WINDOWS\System32\zqfe.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\profsyb.html

--
End of file - 8584 bytes


I hope you can help

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 10 December 2007 - 12:36 PM

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#5 Pam Poff

Pam Poff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 10 December 2007 - 04:37 PM

Here is the combofix log and the hijackthis log

ComboFix 07-12-09.1 - Walt 2007-12-10 16:26:32.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT -5:00]
Running from: C:\Documents and Settings\Walt\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Walt\~tmp.exe
C:\Program Files\Common Files\profsyb.html
C:\WINDOWS\drabste.exe
C:\WINDOWS\dracee.exe
C:\WINDOWS\ksacre.exe
C:\WINDOWS\nwan.dat
C:\WINDOWS\porkaa.exe
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\mskvtns.dll
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\vtr.dll
C:\WINDOWS\wbrea.exe
C:\WINDOWS\wesre.exe
C:\WINDOWS\xlaherx.exe
C:\WINDOWS\xlavba6.exe
C:\WINDOWS\xlavba8.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_POOF
-------\LEGACY_RUNTIME2
-------\nm


((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-10 16:34 . 2007-12-10 16:34 <DIR> d-------- C:\WINDOWS\TEM
2007-12-10 11:03 . 2007-08-20 05:04 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-10 11:03 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-10 11:03 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-10 11:03 . 2007-08-20 05:04 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-10 11:03 . 2007-08-20 05:04 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-10 11:03 . 2007-08-20 05:04 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-10 11:03 . 2007-08-20 05:04 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-10 11:03 . 2007-08-20 05:04 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-10 11:03 . 2007-08-17 05:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-10 10:59 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-09 21:46 . 2007-12-09 21:46 159,408 --a------ C:\WINDOWS\bagvdg.exe
2007-12-09 21:46 . 2007-12-09 21:46 71 --a------ C:\WINDOWS\mgglp.bat
2007-12-09 21:39 . 2007-12-09 21:39 59,392 --a------ C:\WINDOWS\derc32xz.exe
2007-12-09 21:39 . 2007-12-09 21:39 16,384 --a------ C:\WINDOWS\ddexxz.exe
2007-12-08 13:07 . 2007-12-08 13:07 159,408 --a------ C:\WINDOWS\bagzdg.exe
2007-12-07 11:46 . 2007-12-09 21:46 94,896 --a------ C:\WINDOWS\system32\mspoolg.dll
2007-12-05 15:52 . 2007-12-05 15:52 <DIR> d-------- C:\Program Files\Seagate
2007-12-05 15:52 . 2007-12-05 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2007-12-05 15:50 . 2007-12-05 15:50 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-05 15:37 . 2007-12-05 15:37 159,408 --a------ C:\WINDOWS\bakfgdg.exe
2007-12-05 15:30 . 2007-12-05 15:30 94,896 --a------ C:\WINDOWS\system32\mspoold.dll
2007-12-04 09:19 . 2007-12-04 09:19 162,917 --a------ C:\WINDOWS\bakidg.exe
2007-12-04 09:19 . 2007-12-04 09:19 138,240 --a------ C:\WINDOWS\xnnnav.exe
2007-12-03 09:34 . 2007-12-03 09:34 383,488 --a------ C:\WINDOWS\ddubbv.exe
2007-12-03 09:34 . 2007-12-03 09:34 16,384 --a------ C:\WINDOWS\dcxxygx.exe
2007-11-29 09:21 . 2007-11-29 09:21 87,552 --a------ C:\WINDOWS\system32\spoolc.exe
2007-11-27 16:40 . 2007-11-27 16:40 20,480 --a------ C:\WINDOWS\davrrx.exe
2007-11-26 14:19 . 2007-11-26 14:19 <DIR> d--hs---- C:\FOUND.004
2007-11-26 11:34 . 2007-11-26 11:34 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-26 11:34 . 2007-11-26 11:34 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-26 11:34 . 2007-11-26 11:34 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-26 11:33 . 2007-11-26 11:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-26 10:48 . 2007-11-26 10:48 <DIR> d-------- C:\Documents and Settings\Walt\.housecall6.6
2007-11-26 10:44 . 2007-11-26 10:44 <DIR> d-------- C:\WINDOWS\Sun
2007-11-26 10:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-26 10:42 . 2007-11-26 10:42 <DIR> d-------- C:\Program Files\Java
2007-11-26 10:39 . 2007-11-26 10:39 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-26 10:01 . 2007-11-26 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 09:42 . 2007-11-26 09:42 156,336 --a------ C:\WINDOWS\dracve.exe
2007-11-24 12:56 . 2007-11-24 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-24 12:46 . 2007-11-24 12:46 <DIR> d-------- C:\Documents and Settings\Walt\Application Data\Uniblue
2007-11-24 11:44 . 2007-11-24 11:44 0 --a------ C:\10.tmp
2007-11-24 11:43 . 2007-11-24 11:43 0 --a------ C:\F.tmp
2007-11-24 11:43 . 2007-11-24 11:43 0 --a------ C:\E.tmp
2007-11-24 11:43 . 2007-11-24 11:43 0 --a------ C:\D.tmp
2007-11-24 11:42 . 2007-11-24 11:42 0 --a------ C:\C.tmp
2007-11-24 11:42 . 2007-11-24 11:42 0 --a------ C:\B.tmp
2007-11-24 11:42 . 2007-11-24 11:42 0 --a------ C:\A.tmp
2007-11-24 11:42 . 2007-11-24 11:42 0 --a------ C:\9.tmp
2007-11-24 11:41 . 2007-11-24 11:41 20,992 --a------ C:\WINDOWS\daverx.exe
2007-11-12 11:47 . 2007-11-29 09:21 291,328 --a------ C:\WINDOWS\system32\libcurl.dll
2007-11-12 11:47 . 2007-11-13 11:31 55,808 --a------ C:\WINDOWS\system32\spoolv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 20:40 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-26 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-10-26 20:27 --------- d-----w C:\Documents and Settings\Walt\Application Data\GetRightToGo
2007-10-26 17:56 51,003 ----a-w C:\aklr.exe
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-19 17:51 425,480 ----a-w C:\syssbkn.exe
2007-10-16 16:48 425,480 ----a-w C:\sysvoez.exe
2007-10-10 18:53 425,480 ----a-w C:\sysdksu.exe
2007-09-25 16:26 425,480 ----a-w C:\sysmeyp.exe
2007-09-22 18:59 425,480 ----a-w C:\sysphab.exe
2007-09-21 17:47 425,480 ----a-w C:\sysvxuo.exe
2007-09-21 14:25 425,480 ----a-w C:\sysrnft.exe
2007-09-21 14:25 425,480 ----a-w C:\syspnng.exe
2007-09-20 19:10 425,480 ----a-w C:\sysffqy.exe
2007-09-19 15:02 425,480 ----a-w C:\syshudd.exe
2007-09-18 19:33 425,480 ----a-w C:\syswrqv.exe
2007-09-18 19:33 425,480 ----a-w C:\sysabsr.exe
2007-09-18 17:29 425,480 ----a-w C:\sysneur.exe
2007-09-18 16:09 425,480 ----a-w C:\sysqmqq.exe
2007-09-07 15:05 246 ----a-w C:\Program Files\Common Files\lavum
2007-09-06 20:17 246 ----a-w C:\Program Files\Common Files\lavum521
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D7C3C19-C1B4-4975-1A87-93C99B7A7DDC}]
C:\Program Files\Common Files\lavum.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D47E650-D873-4B42-997F-5A8E3F92AF10}]
C:\WINDOWS\System32\nnnop.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"RIMDeviceManager"="C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-21 10:43]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 12:36]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"horyjyr"="C:\Program Files\WindowsUpdate\horyjyr22011.exe" []
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2003-02-13 10:25]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-27 16:42]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"dumprep"="C:\WINDOWS\system32\spoolc.exe" [2007-11-29 09:21]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-09-28 15:32]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Corel MEDIA FOLDERS INDEXER 8.LNK - C:\Corel\Graphics8\Programs\MFIndexer.exe [2004-06-03 17:30:52]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-07-06 12:59:22]
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-07-01 21:16:46]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ecRdHj"= {A02A915D-0A80-3BF7-698B-F84A99AB4B80} - C:\WINDOWS\System32\zqfe.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjifcb]
ljjifcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SmcService"=2 (0x2)

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R2 ATNT40K;ActiveTouch NT Appsharing Driver;C:\WINDOWS\system32\DRIVERS\ATNT40K.SYS
R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe"
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
S3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eedaeb0-a373-11dc-8fc7-004063c3a078}]
\Shell\AutoRun\command - H:\Launch.exe /run

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 16:35:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-10 16:37:08 - machine was rebooted
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:59 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolc.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novastarrealestate.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {6D7C3C19-C1B4-4975-1A87-93C99B7A7DDC} - C:\Program Files\Common Files\lavum.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8D47E650-D873-4B42-997F-5A8E3F92AF10} - C:\WINDOWS\System32\nnnop.dll (file missing)
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [horyjyr] C:\Program Files\WindowsUpdate\horyjyr22011.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TypeItIn.lnk = C:\Program Files\TypeItIn\TypeItIn.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193421590941
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demo.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O20 - Winlogon Notify: ljjifcb - ljjifcb.dll (file missing)
O21 - SSODL: ecRdHj - {A02A915D-0A80-3BF7-698B-F84A99AB4B80} - C:\WINDOWS\System32\zqfe.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

--
End of file - 8990 bytes

Waiting for a reply. Thank you

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 10 December 2007 - 04:53 PM

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    DirLook::
    C:\WINDOWS\TEM
    Folder::
    C:\Program Files\Common Files\lavum
    C:\Program Files\Common Files\lavum521
    File::
    C:\WINDOWS\bagvdg.exe
    C:\WINDOWS\mgglp.bat
    C:\WINDOWS\derc32xz.exe
    C:\WINDOWS\ddexxz.exe
    C:\WINDOWS\bagzdg.exe
    C:\WINDOWS\system32\mspoolg.dll
    C:\WINDOWS\bakfgdg.exe
    C:\WINDOWS\system32\mspoold.dll
    C:\WINDOWS\bakidg.exe
    C:\WINDOWS\xnnnav.exe
    C:\WINDOWS\ddubbv.exe
    C:\WINDOWS\dcxxygx.exe
    C:\WINDOWS\system32\spoolc.exe
    C:\WINDOWS\davrrx.exe
    C:\WINDOWS\dracve.exe
    C:\10.tmp
    C:\F.tmp
    C:\E.tmp
    C:\D.tmp
    C:\C.tmp
    C:\B.tmp
    C:\A.tmp
    C:\9.tmp
    C:\WINDOWS\daverx.exe
    C:\WINDOWS\system32\spoolv.exe
    C:\aklr.exe
    C:\syssbkn.exe
    C:\sysvoez.exe
    C:\sysdksu.exe
    C:\sysmeyp.exe
    C:\sysphab.exe
    C:\sysvxuo.exe
    C:\sysrnft.exe
    C:\syspnng.exe
    C:\sysffqy.exe
    C:\syshudd.exe
    C:\syswrqv.exe
    C:\sysabsr.exe
    C:\sysneur.exe
    C:\sysqmqq.exe
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D7C3C19-C1B4-4975-1A87-93C99B7A7DDC}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D47E650-D873-4B42-997F-5A8E3F92AF10}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "horyjyr"=-
    "dumprep"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "ecRdHj"=-
    [-HKEY_CLASSES_ROOT\CLSID\{A02A915D-0A80-3BF7-698B-F84A99AB4B80}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjifcb]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eedaeb0-a373-11dc-8fc7-004063c3a078}]
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#7 Pam Poff

Pam Poff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 10 December 2007 - 05:32 PM

New combofix and hijackthis logs

ComboFix 07-12-09.1 - Walt 2007-12-10 17:21:43.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.44 [GMT -5:00]
Running from: C:\Documents and Settings\Walt\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Walt\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\10.tmp
C:\9.tmp
C:\A.tmp
C:\aklr.exe
C:\B.tmp
C:\C.tmp
C:\D.tmp
C:\E.tmp
C:\F.tmp
C:\sysabsr.exe
C:\sysdksu.exe
C:\sysffqy.exe
C:\syshudd.exe
C:\sysmeyp.exe
C:\sysneur.exe
C:\sysphab.exe
C:\syspnng.exe
C:\sysqmqq.exe
C:\sysrnft.exe
C:\syssbkn.exe
C:\sysvoez.exe
C:\sysvxuo.exe
C:\syswrqv.exe
C:\WINDOWS\bagvdg.exe
C:\WINDOWS\bagzdg.exe
C:\WINDOWS\bakfgdg.exe
C:\WINDOWS\bakidg.exe
C:\WINDOWS\daverx.exe
C:\WINDOWS\davrrx.exe
C:\WINDOWS\dcxxygx.exe
C:\WINDOWS\ddexxz.exe
C:\WINDOWS\ddubbv.exe
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\dracve.exe
C:\WINDOWS\mgglp.bat
C:\WINDOWS\system32\mspoold.dll
C:\WINDOWS\system32\mspoolg.dll
C:\WINDOWS\system32\spoolc.exe
C:\WINDOWS\system32\spoolv.exe
C:\WINDOWS\xnnnav.exe
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:32 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novastarrealestate.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TypeItIn.lnk = C:\Program Files\TypeItIn\TypeItIn.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193421590941
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demo.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

--
End of file - 8466 bytes


Thanks

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 11 December 2007 - 12:10 PM

Is that the complete combofix log? It looks like most of it got cut off

You can find the combofix log at C:\combofix.txt

#9 Pam Poff

Pam Poff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 11 December 2007 - 03:32 PM

Here it is again

ComboFix 07-12-09.1 - Walt 2007-12-10 17:21:43.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.44 [GMT -5:00]
Running from: C:\Documents and Settings\Walt\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Walt\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\10.tmp
C:\9.tmp
C:\A.tmp
C:\aklr.exe
C:\B.tmp
C:\C.tmp
C:\D.tmp
C:\E.tmp
C:\F.tmp
C:\sysabsr.exe
C:\sysdksu.exe
C:\sysffqy.exe
C:\syshudd.exe
C:\sysmeyp.exe
C:\sysneur.exe
C:\sysphab.exe
C:\syspnng.exe
C:\sysqmqq.exe
C:\sysrnft.exe
C:\syssbkn.exe
C:\sysvoez.exe
C:\sysvxuo.exe
C:\syswrqv.exe
C:\WINDOWS\bagvdg.exe
C:\WINDOWS\bagzdg.exe
C:\WINDOWS\bakfgdg.exe
C:\WINDOWS\bakidg.exe
C:\WINDOWS\daverx.exe
C:\WINDOWS\davrrx.exe
C:\WINDOWS\dcxxygx.exe
C:\WINDOWS\ddexxz.exe
C:\WINDOWS\ddubbv.exe
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\dracve.exe
C:\WINDOWS\mgglp.bat
C:\WINDOWS\system32\mspoold.dll
C:\WINDOWS\system32\mspoolg.dll
C:\WINDOWS\system32\spoolc.exe
C:\WINDOWS\system32\spoolv.exe
C:\WINDOWS\xnnnav.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\10.tmp
C:\9.tmp
C:\A.tmp
C:\aklr.exe
C:\B.tmp
C:\C.tmp
C:\D.tmp
C:\E.tmp
C:\F.tmp
C:\Program Files\Common Files\lavum\
C:\Program Files\Common Files\lavum521\
C:\sysabsr.exe
C:\sysdksu.exe
C:\sysffqy.exe
C:\syshudd.exe
C:\sysmeyp.exe
C:\sysneur.exe
C:\sysphab.exe
C:\syspnng.exe
C:\sysqmqq.exe
C:\sysrnft.exe
C:\syssbkn.exe
C:\sysvoez.exe
C:\sysvxuo.exe
C:\syswrqv.exe
C:\WINDOWS\bagvdg.exe
C:\WINDOWS\bagzdg.exe
C:\WINDOWS\bakfgdg.exe
C:\WINDOWS\bakidg.exe
C:\WINDOWS\daverx.exe
C:\WINDOWS\davrrx.exe
C:\WINDOWS\dcxxygx.exe
C:\WINDOWS\ddubbv.exe
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\dracve.exe
C:\WINDOWS\mgglp.bat
C:\WINDOWS\system32\mspoold.dll
C:\WINDOWS\system32\mspoolg.dll
C:\WINDOWS\system32\spoolc.exe
C:\WINDOWS\system32\spoolv.exe
C:\WINDOWS\xnnnav.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-10 11:03 . 2007-08-20 05:04 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-10 11:03 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-10 11:03 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-10 11:03 . 2007-08-20 05:04 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-10 11:03 . 2007-08-20 05:04 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-10 11:03 . 2007-08-20 05:04 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-10 11:03 . 2007-08-20 05:04 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-10 11:03 . 2007-08-20 05:04 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-10 11:03 . 2007-08-17 05:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-10 10:59 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-05 15:52 . 2007-12-05 15:52 <DIR> d-------- C:\Program Files\Seagate
2007-12-05 15:52 . 2007-12-05 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2007-12-05 15:50 . 2007-12-05 15:50 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-26 14:19 . 2007-11-26 14:19 <DIR> d--hs---- C:\FOUND.004
2007-11-26 11:34 . 2007-11-26 11:34 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-26 11:34 . 2007-11-26 11:34 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-26 11:34 . 2007-11-26 11:34 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-26 11:33 . 2007-11-26 11:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-26 10:48 . 2007-11-26 10:48 <DIR> d-------- C:\Documents and Settings\Walt\.housecall6.6
2007-11-26 10:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-26 10:42 . 2007-11-26 10:42 <DIR> d-------- C:\Program Files\Java
2007-11-26 10:39 . 2007-11-26 10:39 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-26 10:01 . 2007-11-26 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 12:56 . 2007-11-24 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-24 12:46 . 2007-11-24 12:46 <DIR> d-------- C:\Documents and Settings\Walt\Application Data\Uniblue
2007-11-12 11:47 . 2007-11-29 09:21 291,328 --a------ C:\WINDOWS\system32\libcurl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 20:40 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-26 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-10-26 20:27 --------- d-----w C:\Documents and Settings\Walt\Application Data\GetRightToGo
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-09-07 15:05 246 ----a-w C:\Program Files\Common Files\lavum
2007-09-06 20:17 246 ----a-w C:\Program Files\Common Files\lavum521
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\TEM ----



((((((((((((((((((((((((((((( snapshot@2007-12-10_16.36.19.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 15:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"RIMDeviceManager"="C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-21 10:43]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 12:36]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2003-02-13 10:25]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-27 16:42]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-09-28 15:32]
"CaPPcl"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe" [2007-11-27 16:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Corel MEDIA FOLDERS INDEXER 8.LNK - C:\Corel\Graphics8\Programs\MFIndexer.exe [2004-06-03 17:30:52]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-07-06 12:59:22]
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-07-01 21:16:46]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SmcService"=2 (0x2)

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R2 ATNT40K;ActiveTouch NT Appsharing Driver;C:\WINDOWS\system32\DRIVERS\ATNT40K.SYS
R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe"
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
S3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 17:27:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-10 17:29:31 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-10 16:37
.
--- E O F ---

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 12 December 2007 - 02:43 PM

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    File::
    C:\Program Files\Common Files\lavum
    C:\Program Files\Common Files\lavum521
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#11 Pam Poff

Pam Poff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 12 December 2007 - 05:19 PM

Here is the combofix log

ComboFix 07-12-09.1 - Walt 2007-12-12 17:17:11.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.58 [GMT -5:00]
Running from: C:\Documents and Settings\Walt\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Walt\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\Program Files\Common Files\lavum
C:\Program Files\Common Files\lavum521
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\lavum
C:\Program Files\Common Files\lavum521

.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-10 16:34 . 2007-12-10 16:34 <DIR> d-------- C:\WINDOWS\TEM
2007-12-10 11:03 . 2007-10-10 18:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-10 11:03 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-10 11:03 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-10 11:03 . 2007-10-10 18:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-10 11:03 . 2007-10-10 18:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-10 11:03 . 2007-10-10 18:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-10 11:03 . 2007-10-10 18:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-10 11:03 . 2007-10-10 18:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-10 11:03 . 2007-10-10 05:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-10 10:59 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-05 15:52 . 2007-12-05 15:52 <DIR> d-------- C:\Program Files\Seagate
2007-12-05 15:52 . 2007-12-05 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2007-12-05 15:50 . 2007-12-05 15:50 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-26 14:19 . 2007-11-26 14:19 <DIR> d--hs---- C:\FOUND.004
2007-11-26 11:34 . 2007-11-26 11:34 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-26 11:34 . 2007-11-26 11:34 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-26 11:34 . 2007-11-26 11:34 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-26 11:33 . 2007-11-26 11:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-26 10:48 . 2007-11-26 10:48 <DIR> d-------- C:\Documents and Settings\Walt\.housecall6.6
2007-11-26 10:44 . 2007-11-26 10:44 <DIR> d-------- C:\WINDOWS\Sun
2007-11-26 10:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-26 10:42 . 2007-11-26 10:42 <DIR> d-------- C:\Program Files\Java
2007-11-26 10:39 . 2007-11-26 10:39 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-26 10:01 . 2007-11-26 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 12:56 . 2007-11-24 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-24 12:46 . 2007-11-24 12:46 <DIR> d-------- C:\Documents and Settings\Walt\Application Data\Uniblue
2007-11-12 11:47 . 2007-11-29 09:21 291,328 --a------ C:\WINDOWS\system32\libcurl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 20:40 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-26 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-10-26 20:27 --------- d-----w C:\Documents and Settings\Walt\Application Data\GetRightToGo
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-10_16.36.19.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 15:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-03-06 01:22:42 213,216 ------w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:54:10 765,952 ------w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2007-08-20 10:04:34 124,928 ------w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-20 10:04:34 214,528 ------w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-20 10:04:34 132,608 ------w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-20 10:04:34 63,488 ------w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-17 10:20:54 63,488 ------w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-20 10:04:34 153,088 ------w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-20 10:04:36 230,400 ------w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-17 07:34:26 161,792 ------w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-08-20 10:04:36 383,488 ------w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-20 10:04:36 384,512 ------w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-20 10:04:38 6,058,496 ------w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-20 10:04:38 44,544 ------w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-20 10:04:38 267,776 ------w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-17 10:20:54 13,824 ------w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-17 10:21:22 625,152 ------w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-20 10:04:40 27,648 ------w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-20 10:04:40 459,264 ------w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-20 10:04:40 52,224 ------w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-20 20:34:42 3,584,512 ------w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-20 10:04:42 477,696 ------w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-20 10:04:42 193,024 ------w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-20 10:04:42 671,232 ------w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-20 10:04:42 102,400 ------w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:42 213,216 ------w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-08-20 10:04:42 105,984 ------w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-20 10:04:42 1,152,000 ------w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-20 10:04:42 232,960 ------w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-20 10:04:44 824,832 ------w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
+ 2007-12-12 21:09:40 4,558 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{932BABBD-E351-4F37-ABEF-C68C0CF92F75}.bin
- 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:52 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-07-06 10:05:48 72,960 ------w C:\WINDOWS\system32\dllcache\mqac.sys
+ 2007-07-06 12:47:00 138,240 ------w C:\WINDOWS\system32\dllcache\mqad.dll
+ 2007-07-06 12:47:00 47,104 ------w C:\WINDOWS\system32\dllcache\mqdscli.dll
+ 2007-07-06 12:47:00 16,896 ------w C:\WINDOWS\system32\dllcache\mqise.dll
+ 2007-07-06 12:47:00 660,992 ------w C:\WINDOWS\system32\dllcache\mqqm.dll
+ 2007-07-06 12:47:00 177,152 ------w C:\WINDOWS\system32\dllcache\mqrt.dll
+ 2007-07-06 12:47:00 95,744 ------w C:\WINDOWS\system32\dllcache\mqsec.dll
+ 2007-07-06 12:47:00 48,640 ------w C:\WINDOWS\system32\dllcache\mqupgrd.dll
+ 2007-07-06 12:47:00 471,552 ------w C:\WINDOWS\system32\dllcache\mqutil.dll
- 2007-08-13 23:54:10 765,952 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2004-08-04 05:58:20 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
+ 2007-07-06 10:05:48 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
- 2007-08-20 10:04:34 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:52 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-20 10:04:34 132,608 ------w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:52 132,608 ------w C:\WINDOWS\system32\extmgr.dll
- 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:55:52 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-17 10:20:54 63,488 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:52 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-20 10:04:36 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:52 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-17 07:34:26 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:56 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2007-08-20 10:04:36 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-20 10:04:36 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-20 10:04:38 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-20 10:04:38 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:56 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:55:56 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-20 10:04:40 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-04 07:56:42 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
+ 2007-07-06 12:47:00 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
- 2004-08-04 07:56:42 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
+ 2007-07-06 12:47:00 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
- 2004-08-04 07:56:42 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
+ 2007-07-06 12:47:00 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
- 2004-08-04 07:56:42 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
+ 2007-07-06 12:47:00 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
- 2004-08-04 07:56:42 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
+ 2007-07-06 12:47:00 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
- 2004-08-04 07:56:42 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
+ 2007-07-06 12:47:00 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
- 2004-08-04 07:56:42 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
+ 2007-07-06 12:47:00 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
- 2004-08-04 07:56:42 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
+ 2007-07-06 12:47:00 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
- 2007-11-02 07:12:58 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:06 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-08-20 10:04:40 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-20 10:04:40 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-20 20:34:42 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-20 10:04:42 477,696 ------w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-20 10:04:42 193,024 ------w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2007-08-20 10:04:42 671,232 ------w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:56:00 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2007-08-20 10:04:42 102,400 ------w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:56:00 102,400 ------w C:\WINDOWS\system32\occache.dll
- 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:12 60,416 ------w C:\WINDOWS\system32\tzchange.exe
- 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:56:00 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-20 10:04:44 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"RIMDeviceManager"="C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-21 10:43]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 12:36]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2003-02-13 10:25]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-27 16:42]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-09-28 15:32]
"CaPPcl"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe" [2007-11-27 16:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Corel MEDIA FOLDERS INDEXER 8.LNK - C:\Corel\Graphics8\Programs\MFIndexer.exe [2004-06-03 17:30:52]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-07-06 12:59:22]
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-07-01 21:16:46]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SmcService"=2 (0x2)

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R2 ATNT40K;ActiveTouch NT Appsharing Driver;C:\WINDOWS\system32\DRIVERS\ATNT40K.SYS
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys

.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 17:19:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 17:20:19
C:\ComboFix3.txt ... 2007-12-10 16:37
C:\ComboFix2.txt ... 2007-12-10 17:29
.
--- E O F ---

#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 12 December 2007 - 05:20 PM

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems


#13 Pam Poff

Pam Poff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 13 December 2007 - 07:51 PM

Here is the ESET scan

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2721 (20071213)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=190a697671a0cc428d5c44284c114093
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-12-13 11:26:50
# local_time=2007-12-13 06:26:50 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=523147
# found=47
# scan_time=4626
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP2\A0002014.sys Win32/TrojanProxy.Agent.NDA trojan 109284A07ABAFE2A672BE7A00BC48AB1
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP2\A0006017.sys Win32/TrojanProxy.Agent.NDA trojan 109284A07ABAFE2A672BE7A00BC48AB1
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP6\A0015017.exe a variant of Win32/TrojanDownloader.Agent.NPQ trojan E996BD6599F2A0387B6764BD882F8963
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024077.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024078.exe Win32/Qhosts trojan 14C30106F0B6DEFD4BC95287A3FF5FEA
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024078.exe »RAR »hosts Win32/Qhosts trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024079.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024080.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024081.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024082.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024083.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024084.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024085.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024086.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024087.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024088.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024089.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024090.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024091.exe probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024099.exe a variant of Win32/TrojanDownloader.Agent.NPQ trojan E996BD6599F2A0387B6764BD882F8963
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024103.dll a variant of Win32/Spy.BZub trojan C3E210784F06E6C5575A82F6A9184730
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024104.dll a variant of Win32/Spy.BZub trojan 283CEDFBBA5CE3A46FE4EBF6F286DE84
C:\System Volume Information\_restore{14874350-B584-4C0B-8A8D-8E53BB0D9100}\RP14\A0024105.exe Win32/Agent.NHO trojan DD269E03ED85557E1FD7F9BD6D52ADB7
C:\Old C\Program Files\WebSiteViewer\113296.dlr a variant of Win32/Dialer.RAS.D application 82B8BDBFBEE6464AC515C957A3BB9C59
C:\Old C\Program Files\WebSiteViewer\119845.dlr a variant of Win32/Dialer.RAS.D application 4723E69556D09E81189BC71EE41B6010
C:\qoobox\Quarantine\C\sysabsr.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\aklr.exe.vir Win32/Qhosts trojan 14C30106F0B6DEFD4BC95287A3FF5FEA
C:\qoobox\Quarantine\C\aklr.exe.vir »RAR »hosts Win32/Qhosts trojan 00000000000000000000000000000000
C:\qoobox\Quarantine\C\sysdksu.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\sysffqy.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\syshudd.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\sysmeyp.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\sysneur.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\sysphab.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\syspnng.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\sysqmqq.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\sysrnft.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\syssbkn.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\sysvoez.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\sysvxuo.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\syswrqv.exe.vir probably a variant of Win32/TrojanDropper.Agent trojan B17CA5E1845607C47820CA1281C20BAB
C:\qoobox\Quarantine\C\WINDOWS\nwan.dat.vir Win32/TrojanProxy.Agent.NDA trojan 109284A07ABAFE2A672BE7A00BC48AB1
C:\qoobox\Quarantine\C\WINDOWS\ddubbv.exe.vir a variant of Win32/TrojanDownloader.Agent.NPQ trojan E996BD6599F2A0387B6764BD882F8963
C:\qoobox\Quarantine\C\WINDOWS\system32\mspoold.dll.vir a variant of Win32/Spy.BZub trojan C3E210784F06E6C5575A82F6A9184730
C:\qoobox\Quarantine\C\WINDOWS\system32\mspoolg.dll.vir a variant of Win32/Spy.BZub trojan 283CEDFBBA5CE3A46FE4EBF6F286DE84
C:\qoobox\Quarantine\C\WINDOWS\system32\spoolc.exe.vir Win32/Agent.NHO trojan DD269E03ED85557E1FD7F9BD6D52ADB7
C:\qoobox\Quarantine\C\Documents and Settings\Walt\~tmp.exe.vir probably a variant of Win32/TrojanDownloader.Small.AMB trojan C4F9F5DA4BB429B963E49BBC06A48AC1


Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:00 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novastarrealestate.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TypeItIn.lnk = C:\Program Files\TypeItIn\TypeItIn.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193421590941
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demo.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

--
End of file - 8558 bytes

CA scan shows Bifrost infection when computer is first turned on.
Thanks Pam

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 14 December 2007 - 02:12 PM

CA scan shows Bifrost infection when computer is first turned on.


Does CA produce a log that you can post?

#15 Pam Poff

Pam Poff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 17 December 2007 - 12:24 PM

Bifrost seems to have gone away. Thank You for all your help. Have a Merry Christmas and a Happy New Year.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users