Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ghost Screen Scanner


  • Please log in to reply
8 replies to this topic

#1 altered

altered

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 29 November 2007 - 03:11 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:51 AM, on 29/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\m.2800AMD\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1195884609531
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RIESFC - Unknown owner - C:\DOCUME~1\m\LOCALS~1\Temp\RIESFC.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 5678 bytes

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:42 PM

Posted 16 December 2007 - 04:31 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.

#3 altered

altered
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 18 December 2007 - 12:21 AM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.


All the preliminary steps have been done.


I have an issue with a undetected Trojan/screen capture that my anti-virus sw
does not detect I'm running Sophos AV. I got hacked last year and have had
this problem since.

Ever so often the mouse dances around the screen on its own to all 4 corners
of the screen, a beep occurs on the speakers and then the drive runs.. so on
the advise of some windows programmers at work I installed process
monitor.exe and I think I have captured the event .

Description:
Company:
Name: System
Version:
Path: System
Command Line:
PID: 4
Parent PID: 0
Session ID: 0
User: NT AUTHORITY\SYSTEM
Auth ID: 00000000:000003e7
Architecture: 32-bit
Virtualized: n/a
Integrity: n/a
Started: 12/12/2007 11:18:00 PM
Ended: (Running)
Modules:
ntdll.dll 0x7C900000 0xB0000 C:\WINDOWS\system32\ntdll.dll
ntkrnlpa.exe 0x804D7000 0x1F6580 C:\WINDOWS\system32\ntkrnlpa.exe
hal.dll 0x806CE000 0x20380 C:\WINDOWS\system32\hal.dll
kmixer.sys 0xA72F5000 0x2B000 C:\WINDOWS\system32\drivers\kmixer.sys
LVCodek2.dll 0xA73C0000 0x68000 C:\WINDOWS\system32\DRIVERS\LVCodek2.dll
LVCam2.dll 0xA744A000 0x13000 C:\WINDOWS\system32\DRIVERS\LVCam2.dll
HTTP.sys 0xA785C000 0x41000 C:\WINDOWS\System32\Drivers\HTTP.sys
STREAM.SYS 0xA7955000 0xC000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS
srv.sys 0xA7AA5000 0x52000 C:\WINDOWS\system32\DRIVERS\srv.sys
Cdfs.SYS 0xA7D48000 0x10000 C:\WINDOWS\System32\Drivers\Cdfs.SYS
wdmaud.sys 0xA7E0B000 0x15000 C:\WINDOWS\system32\drivers\wdmaud.sys
mrxdav.sys 0xA7E48000 0x2D000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Fastfat.SYS 0xAA53D000 0x23000 C:\WINDOWS\System32\Drivers\Fastfat.SYS
sysaudio.sys 0xAA5A8000 0xF000 C:\WINDOWS\system32\drivers\sysaudio.sys
rdbss.sys 0xAA697000 0x2B000 C:\WINDOWS\system32\DRIVERS\rdbss.sys
netbt.sys 0xAA6E4000 0x28000 C:\WINDOWS\system32\DRIVERS\netbt.sys
ipsec.sys 0xAA764000 0x13000 C:\WINDOWS\system32\DRIVERS\ipsec.sys
mouhid.sys 0xAA7D8000 0x3000 C:\WINDOWS\system32\DRIVERS\mouhid.sys
hidusb.sys 0xAA7E0000 0x3000 C:\WINDOWS\system32\DRIVERS\hidusb.sys
dxg.sys 0xBF000000 0x12000 C:\WINDOWS\System32\drivers\dxg.sys
ati2cqag.dll 0xBF057000 0x7A000 C:\WINDOWS\System32\ati2cqag.dll
atiok3x2.dll 0xBF13D000 0x2E000 C:\WINDOWS\System32\atiok3x2.dll
ativvaxx.dll 0xBF468000 0x186000 C:\WINDOWS\System32\ativvaxx.dll
win32k.sys 0xBF800000 0x1C3000 C:\WINDOWS\System32\win32k.sys
update.sys 0xF6D92000 0x34000 C:\WINDOWS\system32\DRIVERS\update.sys
rasacd.sys 0xF6DDE000 0x3000 C:\WINDOWS\system32\DRIVERS\rasacd.sys
rdpdr.sys 0xF6DEE000 0x31000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys
psched.sys 0xF6EBF000 0x11000 C:\WINDOWS\system32\DRIVERS\psched.sys
senfilt.sys 0xF6EE7000 0x5E000 C:\WINDOWS\system32\drivers\senfilt.sys
portcls.sys 0xF6F65000 0x24000 C:\WINDOWS\system32\drivers\portcls.sys
parport.sys 0xF6FC9000 0x14000 C:\WINDOWS\system32\DRIVERS\parport.sys
ks.sys 0xF7000000 0x23000 C:\WINDOWS\system32\DRIVERS\ks.sys
ati2mtag.sys 0xF7037000 0x28A000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Dxapi.sys 0xF72C9000 0x3000 C:\WINDOWS\System32\drivers\Dxapi.sys
NDIS.sys 0xF7324000 0x2D000 C:\WINDOWS\System32\Drivers\NDIS.sys
KSecDD.sys 0xF73DE000 0x17000 C:\WINDOWS\System32\Drivers\KSecDD.sys
fltMgr.sys 0xF7407000 0x20000 C:\WINDOWS\System32\Drivers\fltMgr.sys
atapi.sys 0xF743F000 0x18000 C:\WINDOWS\System32\Drivers\atapi.sys
ftdisk.sys 0xF747D000 0x1F000 C:\WINDOWS\System32\Drivers\ftdisk.sys
ACPI.sys 0xF74AD000 0x2E000 C:\WINDOWS\System32\Drivers\ACPI.sys
isapnp.sys 0xF75DC000 0x9000 C:\WINDOWS\System32\Drivers\isapnp.sys
MountMgr.sys 0xF75EC000 0xB000 C:\WINDOWS\System32\Drivers\MountMgr.sys
VolSnap.sys 0xF75FC000 0xD000 C:\WINDOWS\System32\Drivers\VolSnap.sys
viamraid.sys 0xF760C000 0xF000 C:\WINDOWS\System32\Drivers\viamraid.sys
disk.sys 0xF761C000 0x9000 C:\WINDOWS\System32\Drivers\disk.sys
CLASSPNP.SYS 0xF762C000 0xD000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
gagp30kx.sys 0xF763C000 0xC000 C:\WINDOWS\System32\Drivers\gagp30kx.sys
Fips.SYS 0xF766C000 0x9000 C:\WINDOWS\System32\Drivers\Fips.SYS
wanarp.sys 0xF767C000 0x9000 C:\WINDOWS\system32\DRIVERS\wanarp.sys
HIDCLASS.SYS 0xF76AC000 0x9000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
imapi.sys 0xF770C000 0xB000 C:\WINDOWS\system32\DRIVERS\imapi.sys
cdrom.sys 0xF771C000 0xD000 C:\WINDOWS\system32\DRIVERS\cdrom.sys
redbook.sys 0xF772C000 0xF000 C:\WINDOWS\system32\DRIVERS\redbook.sys
i8042prt.sys 0xF773C000 0xD000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys
drmk.sys 0xF775C000 0xF000 C:\WINDOWS\system32\drivers\drmk.sys
fetnd5bv.sys 0xF776C000 0xB000 C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
processr.sys 0xF777C000 0x9000 C:\WINDOWS\system32\DRIVERS\processr.sys
rasl2tp.sys 0xF778C000 0xD000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
raspppoe.sys 0xF779C000 0xB000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys
raspptp.sys 0xF77AC000 0xC000 C:\WINDOWS\system32\DRIVERS\raspptp.sys
msgpc.sys 0xF77BC000 0x9000 C:\WINDOWS\system32\DRIVERS\msgpc.sys
termdd.sys 0xF77CC000 0xA000 C:\WINDOWS\system32\DRIVERS\termdd.sys
NDProxy.SYS 0xF780C000 0xA000 C:\WINDOWS\System32\Drivers\NDProxy.SYS
usbhub.sys 0xF781C000 0xF000 C:\WINDOWS\system32\DRIVERS\usbhub.sys savonaccessfilter.sys 0xF783C000 0x9000 C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys
netbios.sys 0xF784C000 0x9000 C:\WINDOWS\system32\DRIVERS\netbios.sys
PCIIDEX.SYS 0xF785C000 0x7000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
PartMgr.sys 0xF7864000 0x5000 C:\WINDOWS\System32\Drivers\PartMgr.sys
usbuhci.sys 0xF78BC000 0x5000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys
usbehci.sys 0xF78C4000 0x7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys
kbdclass.sys 0xF78CC000 0x6000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys
TDI.SYS 0xF78D4000 0x5000 C:\WINDOWS\system32\DRIVERS\TDI.SYS
ptilink.sys 0xF78DC000 0x5000 C:\WINDOWS\system32\DRIVERS\ptilink.sys
raspti.sys 0xF78E4000 0x5000 C:\WINDOWS\system32\DRIVERS\raspti.sys
mouclass.sys 0xF78EC000 0x6000 C:\WINDOWS\system32\DRIVERS\mouclass.sys
vga.sys 0xF791C000 0x6000 C:\WINDOWS\System32\drivers\vga.sys
Msfs.SYS 0xF7924000 0x5000 C:\WINDOWS\System32\Drivers\Msfs.SYS
Npfs.SYS 0xF792C000 0x8000 C:\WINDOWS\System32\Drivers\Npfs.SYS
HIDPARSE.SYS 0xF7944000 0x7000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
watchdog.sys 0xF7954000 0x5000 C:\WINDOWS\System32\watchdog.sys
PROCMON11.SYS 0xF79A4000 0x8000 C:\WINDOWS\system32\Drivers\PROCMON11.SYS
BOOTVID.dll 0xF79EC000 0x3000 C:\WINDOWS\system32\BOOTVID.dll
sbhr.sys 0xF79F0000 0x3000 C:\WINDOWS\System32\Drivers\sbhr.sys
cdrbsdrv.SYS 0xF7A94000 0x4000 C:\WINDOWS\System32\Drivers\cdrbsdrv.SYS
ndistapi.sys 0xF7AA0000 0x3000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys
mssmbios.sys 0xF7ABC000 0x4000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys
WMILIB.SYS 0xF7ADE000 0x2000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
dmload.sys 0xF7AE2000 0x2000 C:\WINDOWS\System32\Drivers\dmload.sys
USBD.SYS 0xF7B0A000 0x2000 C:\WINDOWS\system32\DRIVERS\USBD.SYS
ParVdm.SYS 0xF7B10000 0x2000 C:\WINDOWS\System32\Drivers\ParVdm.SYS
Beep.SYS 0xF7B1E000 0x2000 C:\WINDOWS\System32\Drivers\Beep.SYS
RDPCDD.sys 0xF7B22000 0x2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
dump_WMILIB.SYS 0xF7B26000 0x2000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
audstub.sys 0xF7BA9000 0x1000 C:\WINDOWS\system32\DRIVERS\audstub.sys
Null.SYS 0xF7C0A000 0x1000 C:\WINDOWS\System32\Drivers\Null.SYS
aslm75.sys 0xF7C15000 0x1000 C:\WINDOWS\system32\drivers\aslm75.sys
dxgthk.sys 0xF7D11000 0x1000 C:\WINDOWS\System32\drivers\dxgthk.sys


It appears to using the logic cam drivers - for no reason the web cam is
disconnected from the system.


Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:42 PM, on 16/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\m.2800AMD\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1195884609531
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RIESFC - Unknown owner - C:\DOCUME~1\m\LOCALS~1\Temp\RIESFC.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 5851 bytes

Edited by altered, 18 December 2007 - 12:24 AM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:42 PM

Posted 18 December 2007 - 12:25 PM

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#5 altered

altered
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 19 December 2007 - 01:29 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:37 PM, on 18/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\m.2800AMD\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1195884609531
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RIESFC - Unknown owner - C:\DOCUME~1\m\LOCALS~1\Temp\RIESFC.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 5645 bytes


ComboFix 07-12-19.2 - m 2007-12-18 23:19:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.518 [GMT -7:00]
Running from: C:\Documents and Settings\m.2800AMD\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-10 21:44 . 2007-12-10 21:44 <DIR> d-------- C:\Documents and Settings\m.2800AMD\Application Data\Wireshark
2007-12-10 21:16 . 2007-12-11 00:18 <DIR> d-------- C:\Documents and Settings\m.2800AMD\Application Data\gtk-2.0
2007-12-10 21:13 . 2007-12-13 00:36 <DIR> d-------- C:\processmon
2007-12-10 20:56 . 2007-12-10 20:57 <DIR> d-------- C:\Program Files\Wireshark
2007-12-01 22:58 . 2007-12-01 22:58 <DIR> d-------- C:\Program Files\Resource Kit
2007-11-28 23:05 . 2007-11-28 23:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-28 23:05 . 2007-11-28 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 23:04 . 2007-11-28 23:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-27 22:54 . 2007-11-27 22:54 <DIR> d-------- C:\Documents and Settings\m.2800AMD\Application Data\SolidWorks
2007-11-26 20:22 . 2007-11-26 20:22 <DIR> d-------- C:\Documents and Settings\m.2800AMD\Application Data\Printer Info Cache
2007-11-26 20:22 . 2007-11-26 20:22 <DIR> d-------- C:\Documents and Settings\m.2800AMD\Application Data\Image Zone Express
2007-11-25 22:36 . 2007-11-25 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-25 22:35 . 2007-11-30 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-25 22:35 . 2007-11-25 22:35 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 22:33 . 2007-11-25 22:33 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-25 22:33 . 2007-11-25 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-23 23:18 . 2007-11-23 23:18 <DIR> d-------- C:\temp\Security Update for Windows XP (KB943460)
2007-11-23 23:18 . 2007-11-23 23:18 <DIR> d-------- C:\temp\Security Update for Windows XP (KB923810)
2007-11-23 23:16 . 2007-11-23 23:20 <DIR> d-------- C:\temp\Windows Internet Explorer 7 for Windows XP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 02:49 --------- d-----w C:\Documents and Settings\m.2800AMD\Application Data\OpenOffice.org2
2007-12-11 05:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-11 03:57 --------- d-----w C:\Program Files\WinPcap
2007-11-29 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 05:37 --------- d-----w C:\Program Files\QuickTime
2007-11-18 09:02 --------- d-----w C:\Program Files\EssNetTools
2007-11-18 08:17 --------- d-----w C:\Program Files\Create-Ringtone
2007-11-18 06:53 --------- d-----w C:\Program Files\Sophos
2007-11-18 06:53 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 05:14 240 ----a-w C:\WINDOWS\system32\drivers\vsconfig.xml
2007-11-02 05:19 --------- d-----w C:\Program Files\Race To Mars
2007-11-02 05:19 --------- d-----w C:\Program Files\Common Files\DirectX
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 02:44 --------- d-----w C:\Documents and Settings\m.2800AMD\Application Data\AdobeUM
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-27 01:17 --------- d-----w C:\Program Files\HP
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-09-29 09:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 09:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 09:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 09:06 2,456,064 ----a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-09-29 08:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 08:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 08:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 08:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 08:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 08:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 08:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 08:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 08:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 08:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 08:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 08:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 08:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 08:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 08:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-03-04 22:36 21,676,326 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_04_14_50_17_full.dmp.zip
2007-03-04 22:34 21,676,783 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_04_14_50_05_full.dmp.zip
2007-03-02 01:09 21,644,618 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_02_27_23_20_53_full.dmp.zip
2007-02-25 05:29 18,586,508 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_02_24_22_27_10_full.dmp.zip
2007-02-16 21:57 22,135,569 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_02_16_01_11_06_full.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2006-02-28 05:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-16 21:40]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^m^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\m\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 --a------ c:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2001-09-06 18:10 94208 --a------ C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
C:\Program Files\Prevx1\PXConsole.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 03:23 75520 --a------ C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SwPrv"=3 (0x3)
"SBCSSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2007-02-21 22:41]
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-06-20 03:53]
R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2007-09-10 05:09]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2007-09-10 05:08]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-09-21 10:24]
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys [2005-08-10 08:48]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\1E3.tmp []
S3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2006-09-06 06:12]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 17:01]
S3 RIESFC;RIESFC;C:\DOCUME~1\m\LOCALS~1\Temp\RIESFC.exe []
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S4 DT;DT;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DT.exe []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SAVADMINSERVICE
*Newly Created Service* - SAVSERVICE
.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 17:13:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-17 09:23:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 23:20:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
.
Completion time: 2007-12-18 23:20:45
C:\ComboFix2.txt ... 2007-12-18 23:14
.
2007-12-19 02:49:49 --- E O F ---

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:42 PM

Posted 21 December 2007 - 08:25 AM

Interesting, there is nothing wrong here at all. :thumbsup:
Let's try one more scan, but we conclude that it's not a security problem.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#7 altered

altered
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 22 December 2007 - 02:52 PM

I suspect we are dealing with an unkown virus so none of the AV tools pick it up.

When I got hacked the bios got infected and I had to replace the motherboard to cure that problem, adding a robust h/w firewall stopped that from re-occuring. The virus keeps trying to call home in china according to my firewall logs.

What next?


Saturday, December 22, 2007 11:08:18 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/12/2007
Kaspersky Anti-Virus database records: 491543
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 91139
Number of viruses found 1
Number of infected objects 8
Number of suspicious objects 0
Duration of the scan process 01:41:49

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a29cd051edfe7982fc9e14b5e0818ad_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0b37a513758061d288c438710419645d_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\18ed1ce3e91f215cb05a2578fd928ac8_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2096f93c0e0b4b9e4347b631e966fa1e_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\74e35d3a96182a549f58f339e51e226a_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a2d10eb16dc8d688e66aa0b2e14d8c6_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7c51bd50d4417cbdb37cbf5a212477bc_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bc905c6249bd3b0807db638b865ea07b_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c36b5875f5622c1d7e21bb64c450667e_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c68b9e6280e3cac5ba4b9d0f681e3b73_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cd365a33ee6aeacbeba617367f76b13c_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dbf0fb095bb3254e4867e402d497c19d_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fda30d047eac5eb094377902de4d2dbe_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff981dbc659a8a3ec760d879a31cf46c_efa05744-1b28-400c-913b-050cb970ab36 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03012007-185531.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\m.2800AMD\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{219B1EFD-1074-4D09-9C75-72B3BDFFB138} Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\MSHist012007112620071203\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\MSHist012007120320071210\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\MSHist012007121020071217\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\MSHist012007121720071218\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\MSHist012007121820071219\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\MSHist012007121920071220\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\MSHist012007122020071221\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\MSHist012007122120071222\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\History\History.IE5\MSHist012007122220071223\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\m.2800AMD\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\m.2800AMD\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\TMP00000028DEF11567E8D9E782 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:50 PM, on 22/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\m.2800AMD\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1195884609531
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RIESFC - Unknown owner - C:\DOCUME~1\m\LOCALS~1\Temp\RIESFC.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 5827 bytes

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:42 PM

Posted 22 December 2007 - 04:20 PM

Ok, i'll be honest and give you my first impressions.
I don't think this is a problem caused by malware, but let me get some more info from you.
I need more information about what you said here:

I got hacked last year and have had this problem since.

Also, I think the following is not related to malware - no malware I've heard of would do something like this. It sounds like you have something caught in an installation loop, perhaps a faulty laser mouse, or those kind of problems along those lines:

Ever so often the mouse dances around the screen on its own to all 4 corners of the screen, a beep occurs on the speakers and then the drive runs

Let me know.. :thumbsup:

#9 altered

altered
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 23 December 2007 - 01:02 AM

Thanks for taking an interest...

This may be a bit of a long explaination - please hang in there..

It started Nov/06 when I went to log off and found another user logged onto my system (was running win2k sp4). The system was really slowing down. So I started looking under the hood... and found that the MBR had been messed with and that a ghost OS was being loaded from BIOS before calling and loading windows. With help from a windows programmer at work I redid the MBR and then the @#!$ hit the fan... The system would not boot at all .. this is how I found out the BIOS was infiected, since it was trying to find the trojan on the HD ( the bios just had enough smarts to go load the trojan) but since the MBR had been fixed it could no longer find the code to load. So this started the long and painful process - new motherboard ( I still have the infected one) full C: &D: low level drive reformat, ( a regular format would not clean the trojan off the drive), new windows install now win XP pro (one of many re-installs) and everything is good until I slave in my data drive which I cannot wipe due to the data contained on it - its critical and I can't lose it.

So after giving up on symantec and there usless service.. I bought Sophos AV and it cleaned up about 3 residual problems leaving just hopefully just one I'm trying to get rid of. I believe that what is left is just the residual "call home for the full d/l" part of the trojan.

Also I have installed a robust h/w firewall which is preventing the package from being delivered and completely reinfecting the system.


I worked on this for nearly 8 weeks until I gave up - I tried to get help everwhere I could - but I think its a unknown bug that we're looking for.

I have captured the processes that execute when it runs which is sporatically with procmon and posted them above. What I don't know it what is triggering the process. The symptoms are when certain files/progams are open ( it seems to random) the mouse will rapidly run to all 4 corners of the screen and then beep - then return to the orginal location - this happens even if I am not touching the mouse. If I am moving the mouse then is snaps quickly to where I'm point it. Perhaps I'm going to have to hook up a DVDR to the monitor output to show folks whats happening.

I have run rootkit finder from both MS and sophos with no luck.

I had a utility at one point in time that logged the boot process coming out of bios.. but it got lost with one of the rebuild and I can't seem to find it on the net any more.

When I boot into safe mode the loader brings up 2 positions:

blank
WinXP

Choosing the blank location does nothing - but I bet if I connected the system to the net wth out the firewall the orginal issue would come home like rightnow.

Earlier this year I transfered a file from the infected system to another system to print off a document and then later heard that there firewall started going nuts like mine did when I first put it up.

So the bugs here somewhere.

Last night I ran windows onecare and it at least cleaned up the registery so the systems a bit more agile now.

Thanks
M

PS: If I had known at the start of this that the problem was this tough I would have taken a image of the drive - so the problem could be recreated in a lab somewhere - but I had no idea what I was up against at that time.

Edited by altered, 23 December 2007 - 01:27 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users