Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic And 'virus Found Lop'


  • Please log in to reply
24 replies to this topic

#1 anonymous?

anonymous?

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 23 December 2007 - 08:43 AM

hi, i got some problems with a virus, it makes random-named dll's in the /system32 folder, wich get deleted by avg, it says they are 'virus found lop'.
and there is a trojan horse generic 9 wich tries to spread too. it infects files like reader_sl.exe (from adobe) and iaanotif.exe
the trojans seems to be '\system32\mllmk.exe' and '\temporaly internet files\...\css4[1]', wich are deleted.
css4 keeps replacing itself tough.
there is also a windows error, saying it cant open mllmk.exe on startup.

i have tried a full scan with avg free, online panda scan, spybot search & destroy, avg anti-rootkit, avg anti-spyware and zonealarm.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:42:51, on 23/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.caiman.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pandora.be:8080/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F3 - REG:win.ini: load=C:\WINDOWS\system32\mllmk.exe
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\<User>\recording programs\SnagIt 8.2.2\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {552026EF-8245-4BFB-9F28-6CCB8FBCA048} - C:\WINDOWS\system32\mllmk.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7555906D-70F1-4FD6-8250-4FBE75252F58} - C:\WINDOWS\system32\ssqqrpm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\<User>\recording programs\SnagIt 8.2.2\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O14 - IERESET.INF: START_PAGE_URL=http://www.pandora.be
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180543191875
O20 - Winlogon Notify: ssqqrpm - C:\WINDOWS\SYSTEM32\ssqqrpm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Capture Device Service - Unknown owner - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7185 bytes


Edited by computerxpds, 28 May 2015 - 09:18 AM.
Removed Name as requested by user


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:10 AM

Posted 23 December 2007 - 08:45 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 anonymous?

anonymous?
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 23 December 2007 - 09:37 AM

i ran combofix, everything seemed to go fine, it restarted my computer after scanning and began to make a log. but i lost internet connection on that PC. so i restarted again, wich took a long time, but i still dont have internet connection.


here's the log (some things are in dutch, wich is the default language on my pc :blink: :


ComboFix 07-12-21.4 - <User> 2007-12-23 14:54:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.1491 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\<User>\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\outerinfo
C:\Program Files\outerinfo\outerinfo.ico
C:\WINDOWS\system32\kmllm.ini
C:\WINDOWS\system32\kmllm.ini2
C:\WINDOWS\system32\ssqqrpm.dll
C:\WINDOWS\system32\winsys.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-11-23 to 2007-12-23 ))))))))))))))))))))))))))))))
.

2007-12-18 18:25 . 2007-12-18 18:25 179,941 --a------ C:\WINDOWS\system32\LEX.rar
2007-12-17 15:26 . 2007-12-21 14:23 <DIR> d-------- C:\Program Files\Universe At War Earth Assault
2007-12-17 13:05 . 2007-12-17 13:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-16 23:49 . 2007-12-16 23:49 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-16 23:29 . 2007-12-16 23:29 <DIR> d-------- C:\Documents and Settings\<User>\Application Data\Talkback
2007-12-16 23:28 . 2007-12-16 23:28 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-16 23:05 . 2007-12-16 23:05 <DIR> d-------- C:\Documents and Settings\<User>\Application Data\InstallShield
2007-12-16 20:49 . 2007-12-16 21:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-16 11:30 . 2007-12-23 15:07 13,287,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-16 11:30 . 2007-12-23 15:02 156,740 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-16 11:27 . 2007-12-16 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-16 11:25 . 2007-12-23 13:50 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-16 01:18 . 2007-12-16 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-16 01:10 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-12-15 22:11 . 2007-12-15 22:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-15 22:11 . 2007-12-15 22:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-15 19:17 . 2007-12-15 19:17 <DIR> d-------- C:\Program Files\DIFX
2007-12-15 19:01 . 2007-12-15 19:01 <DIR> d-------- C:\WINDOWS\system32\xlive
2007-12-15 19:01 . 2007-12-15 19:01 <DIR> d-------- C:\Program Files\Sega
2007-12-14 00:33 . 2007-12-15 23:02 <DIR> d-------- C:\Program Files\Ad-Aware 2007
2007-12-14 00:33 . 2007-12-14 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-13 14:37 . 2007-12-15 23:31 <DIR> d-------- C:\Program Files\MagicISO
2007-12-13 14:10 . 2007-12-13 14:41 <DIR> d-------- C:\Program Files\Sun age
2007-12-12 21:46 . 2006-03-07 16:32 100,400 -ra------ C:\WINDOWS\system32\drivers\slabser.sys
2007-12-12 21:46 . 2006-03-07 16:32 6,240 -ra------ C:\WINDOWS\system32\drivers\slabcmnt.sys
2007-12-12 21:46 . 2006-03-07 16:32 6,240 -ra------ C:\WINDOWS\system32\drivers\slabcm.sys
2007-12-12 21:45 . 2006-03-07 16:32 66,672 -ra------ C:\WINDOWS\system32\drivers\slabbus.sys
2007-12-12 21:45 . 2006-02-28 14:30 47,616 -ra------ C:\WINDOWS\system32\slabunin2k.exe
2007-12-12 21:45 . 2006-03-07 16:32 5,872 -ra------ C:\WINDOWS\system32\drivers\slabwhnt.sys
2007-12-12 21:45 . 2006-03-07 16:32 5,872 -ra------ C:\WINDOWS\system32\drivers\slabwh.sys
2007-12-12 21:45 . 2006-04-03 14:11 101 -ra------ C:\WINDOWS\system32\slabunin.u2k
2007-12-10 20:03 . 2007-12-10 20:03 <DIR> d-------- C:\Program Files\DivX
2007-12-06 20:33 . 2007-12-06 20:33 <DIR> d-------- C:\Documents and Settings\<User>\Application Data\DivX
2007-12-04 02:33 . 2007-12-04 02:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 02:33 . 2007-12-04 02:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 02:33 . 2007-12-04 02:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 02:33 . 2007-12-04 02:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-04 02:33 . 2007-12-04 02:33 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2007-12-03 18:44 . 2007-12-03 18:50 22 --a------ C:\WINDOWS\ShellIcon32.dll
2007-11-29 23:30 . 2007-11-29 23:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 23:30 . 2007-11-29 23:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-11-29 23:30 . 2007-11-29 23:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-11-29 23:30 . 2007-11-29 23:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-11-29 23:30 . 2007-11-29 23:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-29 23:28 . 2007-11-29 23:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-29 23:28 . 2007-11-29 23:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-29 23:28 . 2007-11-29 23:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-29 23:28 . 2007-11-29 23:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-28 22:55 . 2007-11-28 22:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 22:53 . 2007-11-28 22:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 22:53 . 2007-11-28 22:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-28 22:53 . 2007-11-28 22:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-28 22:53 . 2007-11-28 22:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-28 22:53 . 2007-11-28 22:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-28 22:53 . 2007-11-28 22:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 22:52 . 2007-11-28 22:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-25 12:24 . 2007-11-25 12:24 <DIR> d-------- C:\Program Files\C&C 3 Kane Edition
2007-11-25 11:55 . 2007-11-25 12:06 <DIR> d-------- C:\Program Files\Anno 1701

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-23 12:13 --------- d-----w C:\Documents and Settings\<User>\Application Data\uTorrent
2007-12-17 14:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 22:10 --------- d-----w C:\Program Files\EA Games
2007-12-16 22:06 --------- d-----w C:\Program Files\Empire Earth III
2007-12-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 22:54 --------- d-----w C:\Program Files\uTorrent
2007-12-15 22:34 --------- d-----w C:\Program Files\MSN Messenger
2007-12-15 22:27 --------- d-----w C:\Program Files\Google
2007-12-15 22:14 --------- d-----w C:\Program Files\Dell Photo Printer 720
2007-12-15 18:14 --------- d-----w C:\Program Files\Electronic Arts
2007-12-15 18:12 --------- d-----w C:\Documents and Settings\<User>\Application Data\Mijn Battle for Middle-earthâ„¢ II-bestanden
2007-12-13 23:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-11 15:29 --------- d-----w C:\Documents and Settings\<User>\Application Data\SecondLife
2007-12-07 17:18 --------- d-----w C:\Program Files\hp deskjet 5550 series
2007-12-07 17:18 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-05 12:06 --------- d-----w C:\Program Files\Warcraft III
2007-12-03 17:01 --------- d-----w C:\Program Files\Supreme Commander
2007-12-01 21:19 --------- d-----w C:\Program Files\Transformers The Game
2007-12-01 21:15 --------- d-----w C:\Program Files\SecondLife
2007-12-01 21:08 --------- d-----w C:\Program Files\Desktop Restore
2007-11-29 22:30 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-27 16:42 --------- d-----w C:\Program Files\CADdy++ - SEE
2007-11-25 11:17 --------- d-----w C:\Program Files\Black_&_White
2007-11-22 21:00 --------- d-----w C:\Documents and Settings\<User>\Application Data\Sierra Entertainment
2007-11-22 17:56 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
2007-11-22 17:56 --------- d-----w C:\Program Files\Common Files\Bcgsoft
2007-11-21 20:47 --------- d-----w C:\Program Files\AGEIA Technologies
2007-11-21 18:57 --------- d-----w C:\Program Files\Starcraft brood war
2007-11-16 23:39 --------- d-----w C:\Program Files\Maplestory
2007-11-15 22:11 --------- d-----w C:\Program Files\EAGLE-4.13
2007-11-14 15:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-13 16:45 --------- d-----w C:\Program Files\Supreme Commander - Forged Alliance
2007-11-13 16:41 --------- d-----w C:\Documents and Settings\<User>\Application Data\Media Center Programs
2007-11-13 16:28 --------- d-----w C:\Documents and Settings\<User>\Application Data\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 16:24 --------- d-----w C:\Program Files\CrossLoop
2007-11-08 20:52 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-08 20:52 249,856 ------w C:\WINDOWS\Setup1.exe
2007-11-04 14:08 --------- d-----w C:\Program Files\Graphmatica
2007-11-04 11:40 --------- d-----w C:\Program Files\Dell 720
2007-11-04 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell Photo Printer 720
2007-11-02 10:27 --------- d-----w C:\Program Files\Xvid
2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-24 13:56 --------- d-----w C:\Documents and Settings\<User>\Application Data\vexorian
2007-10-24 12:20 --------- d-----w C:\Documents and Settings\<User>\Application Data\AVG7
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{552026EF-8245-4BFB-9F28-6CCB8FBCA048}]
C:\WINDOWS\system32\mllmk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:56]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]
"SW20"="C:\WINDOWS\system32\sw20.exe" []
"SW24"="C:\WINDOWS\system32\sw24.exe" []
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]

S3 KLSIENET;Driver for USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\usb101et.sys [2004-08-04 00:55]
S3 lac97inf;lac97inf;C:\DOCUME~1\FILIPP~1\LOCALS~1\Temp\lac97inf.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 15:20:14
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2007-12-23 15:24:07 - machine was rebooted
.
2007-12-12 02:02:32 --- E O F ---


Edited by computerxpds, 28 May 2015 - 09:11 AM.
Redacted name at users request


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:10 AM

Posted 23 December 2007 - 09:47 AM

There should have been a log created. It will be named combofix.txt
If you can't locate it, go ahead and run Combofix again and see if you can get a log. That log will contain critical information that will help us tremendously.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:10 AM

Posted 23 December 2007 - 09:51 AM

Ok there it is. :thumbsup:


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

F3 - REG:win.ini: load=C:\WINDOWS\system32\mllmk.exe
O2 - BHO: (no name) - {552026EF-8245-4BFB-9F28-6CCB8FBCA048} - C:\WINDOWS\system32\mllmk.dll (file missing)
O2 - BHO: (no name) - {7555906D-70F1-4FD6-8250-4FBE75252F58} - C:\WINDOWS\system32\ssqqrpm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe




Reboot and post a new hijackthis log.
Also run Combofix again and post that log.

Edited by Buckeye_Sam, 23 December 2007 - 09:51 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 anonymous?

anonymous?
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 23 December 2007 - 10:14 AM

ok, some of the lines didn't appear anymore in HJT (combofix deleted some ?), but deleted all the ones that did apear.

the startup of my computer seems to be alot slower since i ran combofix :/
still no internet connection, copying the logs with a memorycard to a other computer.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:03:40, on 23/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.caiman.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pandora.be:8080/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\<User>\recording programs\SnagIt 8.2.2\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\<User>recording programs\SnagIt 8.2.2\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O10 - Broken Internet access because of LSP chain gap (#11 in chain of 11 missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.pandora.be
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180543191875
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Capture Device Service - Unknown owner - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6352 bytes

combofix log:

ComboFix 07-12-21.4 - <User> 2007-12-23 16:04:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.1655 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\<User>\Bureaublad\ComboFix.exe
.

(((((((((((((((((((( Bestanden Gemaakt van 2007-11-23 to 2007-12-23 ))))))))))))))))))))))))))))))
.

2007-12-18 18:25 . 2007-12-18 18:25 179,941 --a------ C:\WINDOWS\system32\LEX.rar
2007-12-17 15:26 . 2007-12-21 14:23 <DIR> d-------- C:\Program Files\Universe At War Earth Assault
2007-12-17 13:05 . 2007-12-17 13:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-16 23:49 . 2007-12-16 23:49 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-16 23:29 . 2007-12-16 23:29 <DIR> d-------- C:\Documents and Settings\<User>\Application Data\Talkback
2007-12-16 23:28 . 2007-12-16 23:28 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-16 23:05 . 2007-12-16 23:05 <DIR> d-------- C:\Documents and Settings\<User>\Application Data\InstallShield
2007-12-16 20:49 . 2007-12-16 21:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-16 11:30 . 2007-12-23 16:11 13,305,888 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-16 11:30 . 2007-12-23 15:55 156,860 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-16 11:27 . 2007-12-16 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-16 11:25 . 2007-12-23 13:50 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-16 01:18 . 2007-12-16 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-16 01:10 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-12-15 22:11 . 2007-12-15 22:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-15 22:11 . 2007-12-15 22:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-15 19:17 . 2007-12-15 19:17 <DIR> d-------- C:\Program Files\DIFX
2007-12-15 19:01 . 2007-12-15 19:01 <DIR> d-------- C:\WINDOWS\system32\xlive
2007-12-15 19:01 . 2007-12-15 19:01 <DIR> d-------- C:\Program Files\Sega
2007-12-14 00:33 . 2007-12-15 23:02 <DIR> d-------- C:\Program Files\Ad-Aware 2007
2007-12-14 00:33 . 2007-12-14 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-13 14:37 . 2007-12-15 23:31 <DIR> d-------- C:\Program Files\MagicISO
2007-12-13 14:10 . 2007-12-13 14:41 <DIR> d-------- C:\Program Files\Sun age
2007-12-12 21:46 . 2006-03-07 16:32 100,400 -ra------ C:\WINDOWS\system32\drivers\slabser.sys
2007-12-12 21:46 . 2006-03-07 16:32 6,240 -ra------ C:\WINDOWS\system32\drivers\slabcmnt.sys
2007-12-12 21:46 . 2006-03-07 16:32 6,240 -ra------ C:\WINDOWS\system32\drivers\slabcm.sys
2007-12-12 21:45 . 2006-03-07 16:32 66,672 -ra------ C:\WINDOWS\system32\drivers\slabbus.sys
2007-12-12 21:45 . 2006-02-28 14:30 47,616 -ra------ C:\WINDOWS\system32\slabunin2k.exe
2007-12-12 21:45 . 2006-03-07 16:32 5,872 -ra------ C:\WINDOWS\system32\drivers\slabwhnt.sys
2007-12-12 21:45 . 2006-03-07 16:32 5,872 -ra------ C:\WINDOWS\system32\drivers\slabwh.sys
2007-12-12 21:45 . 2006-04-03 14:11 101 -ra------ C:\WINDOWS\system32\slabunin.u2k
2007-12-10 20:03 . 2007-12-10 20:03 <DIR> d-------- C:\Program Files\DivX
2007-12-06 20:33 . 2007-12-06 20:33 <DIR> d-------- C:\Documents and Settings\<User>\Application Data\DivX
2007-12-04 02:33 . 2007-12-04 02:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 02:33 . 2007-12-04 02:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 02:33 . 2007-12-04 02:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 02:33 . 2007-12-04 02:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-04 02:33 . 2007-12-04 02:33 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2007-12-03 18:44 . 2007-12-03 18:50 22 --a------ C:\WINDOWS\ShellIcon32.dll
2007-11-29 23:30 . 2007-11-29 23:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 23:30 . 2007-11-29 23:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-11-29 23:30 . 2007-11-29 23:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-11-29 23:30 . 2007-11-29 23:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-11-29 23:30 . 2007-11-29 23:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-29 23:28 . 2007-11-29 23:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-29 23:28 . 2007-11-29 23:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-29 23:28 . 2007-11-29 23:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-29 23:28 . 2007-11-29 23:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-28 22:55 . 2007-11-28 22:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 22:53 . 2007-11-28 22:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 22:53 . 2007-11-28 22:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-28 22:53 . 2007-11-28 22:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-28 22:53 . 2007-11-28 22:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-28 22:53 . 2007-11-28 22:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-28 22:53 . 2007-11-28 22:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 22:52 . 2007-11-28 22:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-25 12:24 . 2007-11-25 12:24 <DIR> d-------- C:\Program Files\C&C 3 Kane Edition
2007-11-25 11:55 . 2007-11-25 12:06 <DIR> d-------- C:\Program Files\Anno 1701

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-23 12:13 --------- d-----w C:\Documents and Settings\<User>\Application Data\uTorrent
2007-12-17 14:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 22:10 --------- d-----w C:\Program Files\EA Games
2007-12-16 22:06 --------- d-----w C:\Program Files\Empire Earth III
2007-12-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 22:54 --------- d-----w C:\Program Files\uTorrent
2007-12-15 22:34 --------- d-----w C:\Program Files\MSN Messenger
2007-12-15 22:27 --------- d-----w C:\Program Files\Google
2007-12-15 22:14 --------- d-----w C:\Program Files\Dell Photo Printer 720
2007-12-15 18:14 --------- d-----w C:\Program Files\Electronic Arts
2007-12-15 18:12 --------- d-----w C:\Documents and Settings\<User>\Application Data\Mijn Battle for Middle-earth™ II-bestanden
2007-12-13 23:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-11 15:29 --------- d-----w C:\Documents and Settings\<User>\Application Data\SecondLife
2007-12-07 17:18 --------- d-----w C:\Program Files\hp deskjet 5550 series
2007-12-07 17:18 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-05 12:06 --------- d-----w C:\Program Files\Warcraft III
2007-12-03 17:01 --------- d-----w C:\Program Files\Supreme Commander
2007-12-01 21:19 --------- d-----w C:\Program Files\Transformers The Game
2007-12-01 21:15 --------- d-----w C:\Program Files\SecondLife
2007-12-01 21:08 --------- d-----w C:\Program Files\Desktop Restore
2007-11-29 22:30 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-27 16:42 --------- d-----w C:\Program Files\CADdy++ - SEE
2007-11-25 11:17 --------- d-----w C:\Program Files\Black_&_White
2007-11-22 21:00 --------- d-----w C:\Documents and Settings\<User>\Application Data\Sierra Entertainment
2007-11-22 17:56 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2007-11-22 17:56 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
2007-11-22 17:56 --------- d-----w C:\Program Files\Common Files\Bcgsoft
2007-11-21 20:47 --------- d-----w C:\Program Files\AGEIA Technologies
2007-11-21 18:57 --------- d-----w C:\Program Files\Starcraft brood war
2007-11-16 23:39 --------- d-----w C:\Program Files\Maplestory
2007-11-15 22:11 --------- d-----w C:\Program Files\EAGLE-4.13
2007-11-14 15:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 15:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 17:16 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-13 16:45 --------- d-----w C:\Program Files\Supreme Commander - Forged Alliance
2007-11-13 16:41 --------- d-----w C:\Documents and Settings\<User>\Application Data\Media Center Programs
2007-11-13 16:28 --------- d-----w C:\Documents and Settings\<User>\Application Data\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 16:24 --------- d-----w C:\Program Files\CrossLoop
2007-11-08 20:52 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-08 20:52 249,856 ------w C:\WINDOWS\Setup1.exe
2007-11-04 14:08 --------- d-----w C:\Program Files\Graphmatica
2007-11-04 11:40 --------- d-----w C:\Program Files\Dell 720
2007-11-04 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell Photo Printer 720
2007-11-02 10:27 --------- d-----w C:\Program Files\Xvid
2007-10-30 23:27 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:45 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:45 1,291,776 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:44 8,507,392 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-24 13:56 --------- d-----w C:\Documents and Settings\<User>\Application Data\vexorian
2007-10-24 12:20 --------- d-----w C:\Documents and Settings\<User>\Application Data\AVG7
2007-10-13 16:50 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2007-10-12 22:19 13,653,824 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2007-10-12 22:19 10,155,840 ----a-w C:\WINDOWS\system32\xlive.dll
2007-10-10 23:54 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:53 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:53 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:53 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:53 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:53 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:53 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:53 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:53 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:53 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:53 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:53 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:53 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:53 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:53 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:53 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:53 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:53 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:53 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:53 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:53 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:53 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 11:02 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:02 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-09-30 10:42 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:56]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]

S3 KLSIENET;Driver for USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\usb101et.sys [2004-08-04 00:55]
S3 lac97inf;lac97inf;C:\DOCUME~1\FILIPP~1\LOCALS~1\Temp\lac97inf.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 16:11:38
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2007-12-23 16:12:47
C:\ComboFix2.txt ... 2007-12-23 15:24
.
2007-12-12 02:02:32 --- E O F ---


Edited by computerxpds, 28 May 2015 - 09:16 AM.
Removed Name as requested by user


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:10 AM

Posted 23 December 2007 - 04:41 PM

Your log is looking better. Let's see what we can do about your connection.

Download LSPFix from http://www.cexx.org/lspfix.zip and run it.
Do not select any files from the list, just simply click Finish.

Reboot and post a new hijackthis log.
Let me know if you have a connection.

I see signs of Zone Alarm, but it doesn't appear to be running. Are you using it?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 anonymous?

anonymous?
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 24 December 2007 - 07:46 AM

lspfix sad 'no changes needed', - 0 removed - 0 renumbered. tough HJT says it's a broken LSP

i use zonealarm but temporaly turned it off, it had ~13000 'intrusions blocked' in 3 days wich seemed to make my download program block when left during the night.

i didn't have any more virus alerts, but combofix seems to have made some bad changes.


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:59, on 24/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.caiman.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pandora.be:8080/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\http://www.bleepingcomputer.com/forums/t/122299/trojan-horse-generic-and-virus-found-lop/\recording programs\SnagIt 8.2.2\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\http://www.bleepingcomputer.com/forums/t/122299/trojan-horse-generic-and-virus-found-lop/\recording programs\SnagIt 8.2.2\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O10 - Broken Internet access because of LSP chain gap (#11 in chain of 11 missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.pandora.be
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180543191875
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Capture Device Service - Unknown owner - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6352 bytes


Edited by computerxpds, 28 May 2015 - 09:22 AM.
Removed Name as requested by user


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:10 AM

Posted 24 December 2007 - 08:18 AM

i use zonealarm but temporaly turned it off, it had ~13000 'intrusions blocked' in 3 days wich seemed to make my download program block when left during the night.

Please enable Zone Alarm again. I notice that in your first log it was running and in the next log where you lost your connection, it was not. If that doesn't change anything, then uninstall Zone Alarm and reinstall it(if you want to keep using it).

but combofix seems to have made some bad changes.

How so? Please elaborate.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 anonymous?

anonymous?
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 24 December 2007 - 10:39 AM

i was a bit in a hurry last time :/ but now i have more time :thumbsup:

i temporaly turned zonealarm off when downloading during the night.
when i tried to turn it on it didn't want to start anymore (in taskmanager i saw vsmon starting up, then disepear again about each 3 sec)
i deinstalled, but i need internet connection to install it. (zonealarm options are 'download & install' or 'download')

just befor i ran combofix, AVG sad some files where infected; "iaanotif.exe", "sw20.exe", "sw24.exe", is it bad those are removed, and if so how to get them back ? (avg deleted them)
when i start my computer, type the username and password to login, it stays on a empty background for about 2 minutes, winlogon.exe seems to be slowed down alot.
some minor changes too, like my memorycard not auto-opening anymore; when a process blocked the 'send report' options is gone; explorer.exe sometimes closes and ends, then restarts.

at least the virus seems to be dead too, didn't have any virus-warning since combofix ran :blink:
kinda thinking of using system recovery

Edited by anonymous?, 24 December 2007 - 10:51 AM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:10 AM

Posted 24 December 2007 - 10:59 AM

when i tried to turn it on it didn't want to start anymore (in taskmanager i saw vsmon starting up, then disepear again about each 3 sec)
i deinstalled, but i need internet connection to install it. (zonealarm options are 'download & install' or 'download')

It seems like Zone Alarm had become corrupted in some way and that's affecting your connection. Now that you've uninstalled Zone Alarm you can try to run LSPFix again just like before. If that doesn't work, do you have a way to download Zone Alarm's installation file from another computer and then transfer it and install it on the affected computer?

just befor i ran combofix, AVG sad some files where infected; "iaanotif.exe", "sw20.exe", "sw24.exe", is it bad those are removed, and if so how to get them back ? (avg deleted them)

Well AVG did the right thing on the sw20.exe and sw24.exe. Those are bad files and you don't want them back. But if it deleted iaanotif.exe, that was likely a legit file. AVG has settings where you choose to delete or quarantine infected files that it finds. You'll want to review those settings to see if those files were just quarantined, but not deleted.


I reviewed the combofix log and confirmed that it only removed malicious files and made no other changes that have you affected your computer in the way that you're describing. Please post a new hijackthis log and I'll take another to see if something crept back in.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 anonymous?

anonymous?
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 24 December 2007 - 11:24 AM

i looked in the folder, and there seems to be 2 'iaanotif.exe' , one of 136kb (created on the exact time i turned the computer on) and one created yesterday. (612kb)

i see combofix moved winSys.exe to quarantine, that seems a bit strange.

lspfix still says 'no changes necessery'

what about a scan with 'sfc \scannow', then using the winXP disc ?

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:23:36, on 24/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.caiman.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pandora.be:8080/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\http://www.bleepingcomputer.com/forums/t/122299/trojan-horse-generic-and-virus-found-lop/\recording programs\SnagIt 8.2.2\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\http://www.bleepingcomputer.com/forums/t/122299/trojan-horse-generic-and-virus-found-lop/\recording programs\SnagIt 8.2.2\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O10 - Broken Internet access because of LSP chain gap (#11 in chain of 11 missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.pandora.be
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180543191875
O23 - Service: Capture Device Service - Unknown owner - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

--
End of file - 5355 bytes


Edited by computerxpds, 28 May 2015 - 09:23 AM.
Removed Name as requested by user


#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:10 AM

Posted 24 December 2007 - 11:37 AM

Well your log looks fine.

Let's try another program that may have better results.

Download and run Winsock XP Fix.
http://www.majorgeeks.com/download4372.html


Do you have a way to download Zone Alarm and move it over as I mentioned in my previous post?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 anonymous?

anonymous?
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 24 December 2007 - 11:51 AM

winsock xp fix is great :thumbsup: internet and everything (like slow startup) is back to normal.

downloading zonealarm.. <will edit in a min>

did a reboot, and 'system32\mllmk.exe' was detected again by avg :/
moved it to the virus vault wich caused lsass.exe to be stopped and the system to shutdown

Edited by anonymous?, 24 December 2007 - 12:04 PM.


#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:10 AM

Posted 24 December 2007 - 12:04 PM

Sounds good! :thumbsup:
Let me know how it turns out.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users