Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Trojan / Pop-ups / Etc.


  • Please log in to reply
5 replies to this topic

#1 lokaii

lokaii

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 24 December 2007 - 11:11 AM

Followed the guide followed all steps prior to running hijackthis.

Ran HiJackThis.......results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:25 AM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\freeSSHd\FreeSSHDService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\rc\winvnc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\PD7BF3.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.portseattle.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.portseattle.org
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=60497
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Port of Seattle
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.portseattle.org;*.seattle.internal.local;*.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [00a0c102] rundll32.exe "C:\WINDOWS\system32\jutxphag.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.portseattle.org
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181671451859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181671445765
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seattle.internal.local
O17 - HKLM\Software\..\Telephony: DomainName = seattle.internal.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seattle.internal.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seattle.internal.local
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FreeSSHDService - Unknown owner - C:\Program Files\freeSSHd\FreeSSHDService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC (WinVNC) - RealVNC Ltd. - C:\WINDOWS\system32\rc\winvnc.exe

--
End of file - 8430 bytes

Edited by lokaii, 24 December 2007 - 11:14 AM.


BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 25 December 2007 - 08:46 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum lokaii
My name is Richie and i'll be helping you to fix your problems.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.
Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 lokaii

lokaii
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 27 December 2007 - 11:00 AM

Vundofix.txt:

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Scan started at 10:04:22 AM 12/26/2007

Listing files found while scanning....

C:\windows\system32\awtsp.dll
C:\WINDOWS\system32\ljjgeef.dll
C:\WINDOWS\system32\lxwntcme.dll
C:\windows\system32\lxwntcme.dllbox
C:\windows\system32\pstwa.bak1
C:\windows\system32\pstwa.bak2
C:\windows\system32\pstwa.ini

Beginning removal...

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjgeef.dll
C:\WINDOWS\system32\ljjgeef.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lxwntcme.dll
C:\WINDOWS\system32\lxwntcme.dll Has been deleted!

Attempting to delete C:\windows\system32\lxwntcme.dllbox
C:\windows\system32\lxwntcme.dllbox Has been deleted!

Attempting to delete C:\windows\system32\pstwa.bak1
C:\windows\system32\pstwa.bak1 Has been deleted!

Attempting to delete C:\windows\system32\pstwa.bak2
C:\windows\system32\pstwa.bak2 Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ljjgeef.dll
C:\WINDOWS\system32\ljjgeef.dll Has been deleted!

Performing Repairs to the registry.
Done!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Combofix.txt:

ComboFix 07-12-27.1 - le3 2007-12-26 14:43:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1529 [GMT -8:00]
Running from: C:\Documents and Settings\le3\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\le3\Application Data\inst.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\outerinfo.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\arwlvcby.ini
C:\WINDOWS\system32\bvkaowvf.ini
C:\WINDOWS\system32\dlmiawxs.dll
C:\WINDOWS\system32\dwfaxqye.dll
C:\WINDOWS\system32\fttipxjc.dll
C:\WINDOWS\system32\fvwoakvb.dll
C:\WINDOWS\system32\fyekmxwb.dll
C:\WINDOWS\system32\gahpxtuj.ini
C:\WINDOWS\system32\hatcoyxh.dll
C:\WINDOWS\system32\jgogcjwx.dll
C:\WINDOWS\system32\jwrkhqte.dll
C:\WINDOWS\system32\mrqfyyjy.dll
C:\WINDOWS\system32\oehttmhu.dll
C:\WINDOWS\system32\qjbwnqgl.dll
C:\WINDOWS\system32\rumdmvkp.dll
C:\WINDOWS\system32\ugfxfidn.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wkpjvmsk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-26 10:04 . 2007-12-26 11:28 <DIR> d-------- C:\VundoFix Backups
2007-12-25 10:59 . 2007-12-25 10:59 1,010,196 ---hs---- C:\WINDOWS\system32\nkkcbidw.ini
2007-12-24 10:02 . 2007-12-25 10:02 1,019,097 ---hs---- C:\WINDOWS\system32\mphwtfqx.ini
2007-12-21 17:10 . 2007-12-21 17:10 <DIR> d-------- C:\Documents and Settings\le3\Application Data\ImgBurn
2007-12-21 11:10 . 2007-12-21 11:10 14,033 --a------ C:\posF.tmp
2007-12-20 07:59 . 2007-12-20 07:59 14,033 --a------ C:\pos273.tmp
2007-12-20 07:58 . 2007-12-20 07:58 165,472 --a------ C:\WINDOWS\system32\uvboynip.dll
2007-12-18 18:38 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-18 17:00 . 2007-12-18 18:49 <DIR> d-------- C:\Documents and Settings\le3\.housecall6.6
2007-12-18 15:40 . 2007-12-18 16:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-12-18 11:15 . 2007-06-12 10:03 <DIR> d---s---- C:\Documents and Settings\jh1\UserData
2007-12-18 11:15 . 2007-12-18 11:15 <DIR> d-------- C:\Documents and Settings\jh1\Application Data\Citrix
2007-12-10 16:06 . 2007-12-10 16:06 <DIR> d-------- C:\Program Files\Passware
2007-12-04 14:18 . 2007-12-26 14:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-04 14:18 . 2007-12-04 14:18 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-04 14:17 . 2007-12-04 14:17 <DIR> d-------- C:\Program Files\iTunes
2007-12-04 14:17 . 2007-12-04 14:17 <DIR> d-------- C:\Program Files\iPod
2007-11-29 08:07 . 2006-02-28 08:53 2,936,832 --a------ C:\WINDOWS\system32\MA2_6.scr
2007-11-26 14:16 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 18:30 --------- d-----w C:\Program Files\TrueCrypt
2007-12-26 16:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2007-12-24 15:59 --------- d-----w C:\Program Files\Trend Micro
2007-12-21 18:40 --------- d-----w C:\Documents and Settings\le3\Application Data\Vso
2007-12-17 19:13 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2007-12-15 01:18 --------- d-----w C:\Documents and Settings\le3\Application Data\uTorrent
2007-12-04 22:16 --------- d-----w C:\Program Files\QuickTime
2007-11-21 23:17 26,768 ----a-w C:\CTL3D.DLL
2007-11-21 01:43 --------- d-----w C:\Documents and Settings\wh2\Application Data\Citrix
2007-11-17 00:18 --------- d-----w C:\Program Files\GTDesktop
2007-11-13 16:47 94,208 ----a-w C:\WINDOWS\system32\drivers\ezplay.sys
2007-11-13 16:47 94,208 ----a-w C:\Documents and Settings\le3\Application Data\ezplay.sys
2007-11-13 16:47 --------- d-----w C:\Program Files\VSO
2007-11-12 21:49 --------- d-----w C:\Program Files\SereneScreen
2007-11-12 21:02 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-12 20:45 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-12 17:01 --------- d-----w C:\Program Files\MagicISO
2007-11-09 18:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2007-11-09 00:42 --------- d-----w C:\Program Files\freeSSHd
2007-11-09 00:28 --------- d-----w C:\Program Files\freeFTPd
2007-11-08 19:58 --------- d-----w C:\Documents and Settings\le3\Application Data\TrueCrypt
2007-11-08 01:21 --------- d-----w C:\Documents and Settings\bk1\Application Data\TrueCrypt
2007-10-31 15:49 --------- d-----w C:\Documents and Settings\le3\Application Data\DVD Flick
2007-10-30 16:31 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-30 16:30 --------- d-----w C:\Program Files\Bonjour
2007-10-30 16:25 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-09-07 15:29 47,360 ----a-w C:\Documents and Settings\le3\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AABA273D-84FC-4901-9313-9657E4ABA374}]
C:\WINDOWS\system32\awtsp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 16:03]
"Express ClickYes"="C:\Program Files\Express ClickYes\ClickYes.exe" [2005-07-27 00:39]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-02 15:11]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2007-05-03 21:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-01-13 08:47]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-01-13 08:47]
"Persistence"="C:\WINDOWS\System32\igfxpers.exe" [2007-01-13 08:46]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 17:44]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 14:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 14:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 14:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 14:32]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-22 21:00]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2007-01-08 19:20]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 C:\WINDOWS\system32\HdAShCut.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 04:23]
"WinVNC"="C:\WINDOWS\system32\rc\winvnc.exe" [2003-03-05 13:49]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

C:\Documents and Settings\le3\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-09-04 12:44:44]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-02 15:11:21]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2006-05-02 17:22:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-288342273-1816917429-2113517987-16305\Scripts\Logon\0\0]
"Script"=OLverCheck.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-288342273-1816917429-2113517987-17605\Scripts\Logon\0\0]
"Script"=OLverCheck.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-288342273-1816917429-2113517987-17606\Scripts\Logon\0\0]
"Script"=OLverCheck.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-288342273-1816917429-2113517987-20206\Scripts\Logon\0\0]
"Script"=OLverCheck.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-288342273-1816917429-2113517987-6761\Scripts\Logon\0\0]
"Script"=OLverCheck.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-288342273-1816917429-2113517987-6953\Scripts\Logon\0\0]
"Script"=OLverCheck.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-288342273-1816917429-2113517987-8314\Scripts\Logon\0\0]
"Script"=OLverCheck.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

R2 LMS;Intel® Active Management Technology LMS Service;C:\Program Files\Intel\AMT\LMS.exe [2006-07-29 10:20]
R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 09:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32a994cd-702f-11dc-a686-001641e9e53a}]
\Shell\AutoRun\command - H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-24 18:24:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-12-26 15:05:14 - machine was rebooted
.
2007-11-27 11:01:45 --- E O F ---
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:59, on 2007-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\freeSSHd\FreeSSHDService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\rc\winvnc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\QL74EF.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.portseattle.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.portseattle.org
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=60497
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.portseattle.org;*.seattle.internal.local;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AABA273D-84FC-4901-9313-9657E4ABA374} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.portseattle.org
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181671451859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181671445765
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seattle.internal.local
O17 - HKLM\Software\..\Telephony: DomainName = seattle.internal.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seattle.internal.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seattle.internal.local
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FreeSSHDService - Unknown owner - C:\Program Files\freeSSHd\FreeSSHDService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC (WinVNC) - RealVNC Ltd. - C:\WINDOWS\system32\rc\winvnc.exe

--
End of file - 8920 bytes

Edited by lokaii, 27 December 2007 - 11:01 AM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 27 December 2007 - 11:12 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\nkkcbidw.ini
C:\WINDOWS\system32\mphwtfqx.ini
C:\WINDOWS\system32\uvboynip.dll
C:\posF.tmp
C:\pos273.tmp


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {AABA273D-84FC-4901-9313-9657E4ABA374} - C:\WINDOWS\system32\awtsp.dll (file missing)

If you're not aware of any restrictions being set,fix these as well:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 lokaii

lokaii
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 27 December 2007 - 02:14 PM

OT MoveIt Results:

C:\WINDOWS\system32\nkkcbidw.ini moved successfully.
C:\WINDOWS\system32\mphwtfqx.ini moved successfully.
C:\WINDOWS\system32\uvboynip.dll unregistered successfully.
C:\WINDOWS\system32\uvboynip.dll moved successfully.
C:\posF.tmp moved successfully.
C:\pos273.tmp moved successfully.

Created on 12272007_095510

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/27/2007 at 11:00 AM

Application Version : 3.9.1008

Core Rules Database Version : 3369
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 00:30:09

Memory items scanned : 403
Memory threats detected : 0
Registry items scanned : 6777
Registry threats detected : 0
File items scanned : 49344
File threats detected : 33

Adware.Tracking Cookie
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@10click[2].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@2o7[2].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@ad.uolmg[2].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@ad.yieldmanager[1].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@ads.addynamix[1].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@advertising[2].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@atdmt[2].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@casalemedia[2].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@doubleclick[1].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@mediaplex[1].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@questionmarket[2].txt
C:\Documents and Settings\le3\Desktop\Rays Data\rgp\Local Settings\Temp\Cookies\rgp@z1.adserver[1].txt

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP103\A0014477.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP103\A0014479.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP103\A0014480.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP103\A0014481.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP103\A0014482.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014558.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014559.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014560.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014561.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014562.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014563.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014564.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014565.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014566.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014567.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014568.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014569.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014570.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP104\A0014571.DLL

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F214F536-23C2-479B-A568-53429F797920}\RP103\A0014489.DLL
C:\VUNDOFIX BACKUPS\LJJGEEF.DLL.BAD

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11, on 2007-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\freeSSHd\FreeSSHDService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\rc\winvnc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\QBE190.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.portseattle.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.portseattle.org
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=60497
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.portseattle.org;*.seattle.internal.local;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\system32\rc\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.portseattle.org
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181671451859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181671445765
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seattle.internal.local
O17 - HKLM\Software\..\Telephony: DomainName = seattle.internal.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seattle.internal.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seattle.internal.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FreeSSHDService - Unknown owner - C:\Program Files\freeSSHd\FreeSSHDService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC (WinVNC) - RealVNC Ltd. - C:\WINDOWS\system32\rc\winvnc.exe

--
End of file - 9079 bytes

System seems to be working fine now.
Thank you for your help.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 27 December 2007 - 02:30 PM

Your log is clean :thumbsup: ,please do the following:

Please double-click OTMoveIt.exe again to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users