Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.downloader.gen


  • Please log in to reply
6 replies to this topic

#1 sonic999

sonic999

  • Validating
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 26 December 2007 - 10:14 AM

Hi this is my first post , so hello to you all :thumbsup:

I was alerted by kaspersky to purityscan.gp +win32.virtumonde.byj + trojan.downloader.gen. i have since used kaspersky, vundo.fix, and spy sweeper to get rid of win32.virtumonde.byj .

Except trojan.downloader.gen and purityscan.gp which say they have been deleted by spy sweeper ,but re-appear on the next scan.




my log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:49:16, on 26/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\Program Files\Napster\napster.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\WinTV\Ir.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\WINDOWS\system32\CTsvcCDA.EXE
E:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\system32\wpabaln.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DriverCD] D:\Run.exe
O4 - HKLM\..\Run: [IAAnotif] "E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [GBB36X Configure] "E:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [EPGServiceTool] "E:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe"
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NapsterShell] "E:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [NeroFilterCheck] "E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = E:\Program Files\WinTV\Ir.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E115D08E-2E70-420D-97DA-019509972A55}: NameServer = 212.23.3.100,212.23.6.100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPGService - Hauppauge Computer Works - E:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - E:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - E:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6017 bytes




many thanks for your time.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 27 December 2007 - 09:10 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum sonic999
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 sonic999

sonic999
  • Topic Starter

  • Validating
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 27 December 2007 - 06:42 PM

Hi, i have run combo fix and produced a log below with HIJackThis log

Just a couple of notes that i would like to double check because iam not sure i have done this correcttly.
When i downloded combofix , my antivirus dindt detect or interact. So being a bit new and dumb i left the
antivirus on and completed the scan ok, but the antiviurus did pop up a few times to warn me
(files that i know you said are cool). I told the antivirus to skip/allow. I just wanted to check although the scan completed ok that i dindnt need to re-do this.

Thanks for your time on this.





combofix log






ComboFix 07-12-28.1 - Anyone 2007-12-27 20:02:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.573 [GMT 0:00]
Running from: E:\Documents and Settings\Anyone\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\Anyone\Application Data\inst.exe
E:\WINDOWS\b122.exe.bin
E:\WINDOWS\system32\ineWc01
E:\WINDOWS\system32\ineWc01\ineWc011065.exe
E:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 08:57 . 2007-12-27 08:57 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-26 23:25 . 2007-12-26 23:25 <DIR> d-------- E:\Program Files\VSO
2007-12-26 23:25 . 2007-12-27 13:20 <DIR> d-------- E:\Documents and Settings\Anyone\Application Data\Vso
2007-12-26 23:25 . 2006-09-29 11:24 217,127 --a------ E:\WINDOWS\system32\drv43260.dll
2007-12-26 23:25 . 2006-09-29 11:25 208,935 --a------ E:\WINDOWS\system32\drv33260.dll
2007-12-26 23:25 . 2006-09-29 11:26 176,165 --a------ E:\WINDOWS\system32\drv23260.dll
2007-12-26 23:25 . 2007-12-26 23:25 47,360 --a------ E:\WINDOWS\system32\drivers\pcouffin.sys
2007-12-26 23:25 . 2007-12-26 23:25 47,360 --a------ E:\Documents and Settings\Anyone\Application Data\pcouffin.sys
2007-12-26 22:44 . 2007-12-26 22:44 0 --a------ E:\WINDOWS\nsreg.dat
2007-12-26 14:13 . 2007-12-26 14:44 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-26 13:09 . 2007-12-26 13:09 <DIR> d-------- E:\Program Files\Lavasoft
2007-12-26 13:09 . 2007-12-26 13:09 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-12-26 13:09 . 2007-12-26 13:09 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-26 10:42 . 2007-12-26 10:42 <DIR> d-------- E:\Program Files\Webroot
2007-12-26 10:42 . 2007-12-26 10:42 <DIR> d-------- E:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-26 10:42 . 2007-12-26 10:42 <DIR> d-------- E:\Documents and Settings\Anyone\Application Data\Webroot
2007-12-26 10:42 . 2007-12-26 10:42 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Webroot
2007-12-26 10:42 . 2007-10-01 16:40 1,526,072 --a------ E:\WINDOWS\WRSetup.dll
2007-12-26 10:42 . 2007-10-01 16:24 163,640 --a------ E:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-26 10:42 . 2007-10-01 16:24 23,864 --a------ E:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-26 10:42 . 2007-10-01 16:24 21,816 --a------ E:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-26 10:42 . 2007-10-01 16:24 20,280 --a------ E:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-25 23:10 . 2007-12-25 23:10 164 --a------ E:\install.dat
2007-12-25 22:15 . 2007-12-25 22:15 <DIR> d-------- E:\Program Files\Trend Micro
2007-12-24 02:50 . 2007-12-24 02:50 <DIR> d-------- E:\WINDOWS\system32\ardCo01
2007-12-24 02:50 . 2007-12-24 02:50 39,936 --a------ E:\WINDOWS\mrofinu572.exe.tmp
2007-12-23 18:38 . 2007-12-23 18:38 <DIR> d-------- E:\Program Files\Custom Technology
2007-12-23 18:28 . 2007-12-23 18:28 <DIR> d-------- E:\Documents and Settings\Anyone\Application Data\NeroDigital™
2007-12-23 18:27 . 2007-12-27 09:52 69 --a------ E:\WINDOWS\NeroDigital.ini
2007-12-23 18:04 . 2007-12-23 18:04 <DIR> d-------- E:\Documents and Settings\Anyone\Application Data\Nero
2007-12-23 18:03 . 2007-12-23 18:03 <DIR> d-------- E:\Program Files\Nero
2007-12-23 18:03 . 2007-12-23 18:04 <DIR> d-------- E:\Program Files\Common Files\Nero
2007-12-23 18:03 . 2007-12-23 18:03 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Nero
2007-12-21 01:48 . 2007-12-21 01:48 <DIR> d-------- E:\Documents and Settings\Anyone\Application Data\Roxio
2007-12-21 01:45 . 2007-12-23 11:41 <DIR> d-------- E:\Program Files\Napster
2007-12-21 01:45 . 2007-12-21 01:45 <DIR> d-------- E:\Program Files\Common Files\Napster Shared
2007-12-21 01:45 . 2007-12-21 01:47 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Napster
2007-12-19 22:14 . 2007-12-19 22:14 <DIR> d-------- E:\Documents and Settings\Anyone\Application Data\vlc
2007-12-19 22:12 . 2007-12-19 22:12 <DIR> d-------- E:\Program Files\VideoLAN
2007-12-19 07:57 . 2007-12-27 15:54 <DIR> d-------- E:\Documents and Settings\Anyone\Application Data\Azureus
2007-12-19 07:57 . 2007-12-19 07:57 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Azureus
2007-12-19 07:55 . 2007-12-23 17:53 <DIR> d-------- E:\Program Files\Azureus
2007-12-16 21:55 . 2007-12-16 21:55 <DIR> d-------- E:\Program Files\Kaspersky Lab
2007-12-16 21:55 . 2007-12-27 19:32 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-16 21:55 . 2007-12-28 20:28 2,770,464 --ahs---- E:\WINDOWS\system32\drivers\fidbox.dat
2007-12-16 21:55 . 2007-12-20 23:56 91,492 --a------ E:\WINDOWS\system32\drivers\klin.dat
2007-12-16 21:55 . 2007-12-16 21:59 85,860 --a------ E:\WINDOWS\system32\drivers\klick.dat
2007-12-16 21:55 . 2007-12-28 20:24 78,112 --ahs---- E:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-16 21:55 . 2007-12-27 15:56 39,020 --ahs---- E:\WINDOWS\system32\drivers\fidbox.idx
2007-12-16 21:55 . 2007-12-27 15:56 9,152 --ahs---- E:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-16 21:54 . 2007-12-16 21:54 <DIR> d-------- E:\Program Files\doc
2007-12-16 14:00 . 2004-08-03 23:08 26,496 --a--c--- E:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-16 13:16 . 2007-12-27 19:32 <DIR> d-------- E:\Program Files\WinTV
2007-12-16 13:16 . 2007-12-16 13:16 <DIR> d-------- E:\Program Files\Common Files\IviSDK
2007-12-16 13:15 . 2007-12-26 23:34 6,694 --a------ E:\WINDOWS\HCWPNP.INI
2007-12-16 13:10 . 2007-03-23 12:51 131,072 --a------ E:\WINDOWS\system32\drivers\hcw99bda.sys
2007-12-16 13:10 . 2007-03-23 12:51 10,368 --a------ E:\WINDOWS\system32\drivers\hcw99rc.sys
2007-12-16 12:53 . 2007-12-16 12:53 <DIR> d-------- E:\Documents and Settings\Anyone\Application Data\ATI
2007-12-16 12:53 . 2007-12-16 12:53 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\ATI
2007-12-16 12:50 . 2007-12-16 12:50 <DIR> d-------- E:\Program Files\Common Files\ATI Technologies
2007-12-16 12:48 . 2007-12-16 12:51 <DIR> d-------- E:\Program Files\ATI Technologies
2007-12-16 12:48 . 2007-11-01 21:05 593,920 --------- E:\WINDOWS\system32\ati2sgag.exe
2007-12-16 12:40 . 2007-12-16 12:40 <DIR> d---s---- E:\Documents and Settings\Anyone\UserData
2007-12-16 12:12 . 2007-12-27 15:56 64,988 --a------ E:\WINDOWS\system32\DVCState-{00000005-00000000-00000000-00001102-00000005-00211102}.rfx
2007-12-16 12:12 . 2007-12-27 15:56 55,308 --a------ E:\WINDOWS\system32\BMXStateBkp-{00000005-00000000-00000000-00001102-00000005-00211102}.rfx
2007-12-16 12:12 . 2007-12-27 15:56 55,308 --a------ E:\WINDOWS\system32\BMXState-{00000005-00000000-00000000-00001102-00000005-00211102}.rfx
2007-12-16 12:12 . 2007-12-27 15:56 1,080 --a------ E:\WINDOWS\system32\settingsbkup.sfm
2007-12-16 12:12 . 2007-12-27 15:56 1,080 --a------ E:\WINDOWS\system32\settings.sfm
2007-12-16 12:11 . 2006-05-08 09:54 647,872 --a------ E:\WINDOWS\system32\Mscomct2.ocx
2007-12-16 12:11 . 1999-10-11 01:00 41,984 --------- E:\WINDOWS\Ctregrun.exe
2007-12-16 12:10 . 1999-12-13 01:01 44,032 --------- E:\WINDOWS\system32\CTSVCCDA.EXE
2007-12-16 12:10 . 1999-11-18 01:00 25,088 --------- E:\WINDOWS\system32\CTSVCCTL.EXE
2007-12-16 12:09 . 2007-12-21 23:22 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Creative
2007-12-16 12:08 . 2007-12-16 12:08 <DIR> d-------- E:\WINDOWS\system32\Data
2007-12-16 12:08 . 2007-12-16 12:08 <DIR> d-------- E:\Documents and Settings\Anyone\Application Data\Creative
2007-12-16 12:06 . 2007-12-16 12:11 <DIR> d-------- E:\Program Files\Creative
2007-12-15 19:43 . 2006-05-11 11:30 247,808 --a------ E:\WINDOWS\system32\drivers\iaStor.sys
2007-12-13 19:09 . 2007-12-13 19:09 972,072 --a------ E:\WINDOWS\UNNeroMediaHome.exe
2007-12-04 09:59 . 2007-12-04 09:59 972,072 --a------ E:\WINDOWS\UNRecode.exe
2007-12-03 18:04 . 2007-12-03 18:04 95,600 --a------ E:\WINDOWS\system32\NeroCo.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 01:45 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-12-16 12:50 --------- d-----w E:\Program Files\Common Files\InstallShield
2007-12-16 12:47 929 ----a-w E:\WINDOWS\system32\drivers\ativcaxx.vp
2007-12-16 12:47 9,314,304 ----a-w E:\WINDOWS\system32\atioglx2.dll
2007-12-16 12:47 53,248 ----a-w E:\WINDOWS\system32\ATIDDC.DLL
2007-12-16 12:47 5,435,392 ----a-w E:\WINDOWS\system32\atioglxx.dll
2007-12-16 12:47 499,712 ----a-w E:\WINDOWS\system32\ati2cqag.dll
2007-12-16 12:47 495,616 ----a-w E:\WINDOWS\system32\ati2evxx.exe
2007-12-16 12:47 49,152 ----a-w E:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-16 12:47 47,360 ----a-w E:\WINDOWS\system32\drivers\ativvpxx.vp
2007-12-16 12:47 43,520 ----a-w E:\WINDOWS\system32\ati2edxx.dll
2007-12-16 12:47 376,832 ----a-w E:\WINDOWS\system32\atikvmag.dll
2007-12-16 12:47 364,544 ----a-w E:\WINDOWS\system32\ATIDEMGX.dll
2007-12-16 12:47 307,200 ----a-w E:\WINDOWS\system32\atiiiexx.dll
2007-12-16 12:47 3,133,728 ----a-w E:\WINDOWS\system32\ati3duag.dll
2007-12-16 12:47 268,288 ----a-w E:\WINDOWS\system32\ati2dvag.dll
2007-12-16 12:47 26,112 ----a-w E:\WINDOWS\system32\Ati2mdxx.exe
2007-12-16 12:47 24,064 ----a-w E:\WINDOWS\system32\ativcoxx.dll
2007-12-16 12:47 2,644,480 ----a-w E:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-16 12:47 2,096 ----a-w E:\WINDOWS\system32\drivers\ativdkxx.vp
2007-12-16 12:47 2,096 ----a-w E:\WINDOWS\system32\drivers\ativckxx.vp
2007-12-16 12:47 176,128 ----a-w E:\WINDOWS\system32\atiok3x2.dll
2007-12-16 12:47 17,408 ----a-w E:\WINDOWS\system32\atitvo32.dll
2007-12-16 12:47 143,360 ----a-w E:\WINDOWS\system32\atipdlxx.dll
2007-12-16 12:47 122,880 ----a-w E:\WINDOWS\system32\Oemdspif.dll
2007-12-16 12:47 122,880 ----a-w E:\WINDOWS\system32\ati2evxx.dll
2007-12-16 12:47 1,602,176 ----a-w E:\WINDOWS\system32\ativvaxx.dll
2007-12-16 12:47 1,311,202 ----a-w E:\WINDOWS\system32\drivers\ativcaxx.cpa
2007-12-16 12:09 81,920 ----a-w E:\WINDOWS\system32\OpenAL32.dll
2007-12-16 12:09 233,472 ----a-w E:\WINDOWS\system32\wrap_oal.dll
2007-12-16 11:40 --------- d-----w E:\Program Files\Intel
2007-12-16 11:40 --------- d-----w E:\Program Files\GIGABYTE
2007-12-16 11:21 --------- d-----w E:\Program Files\microsoft frontpage
2007-11-21 17:31 132,904 ----a-w E:\WINDOWS\system32\drivers\imagesrv.sys
2007-11-21 17:31 11,304 ----a-w E:\WINDOWS\system32\drivers\imagedrv.sys
2007-08-02 17:53 536 ----a-w E:\Program Files\setup.reg
2007-07-10 11:34 60,233 ----a-w E:\Program Files\release_notes_kav7.0_en.html
2007-06-28 13:13 32,576 ----a-w E:\Program Files\setup.exe
2007-06-28 13:12 24,285,696 ----a-w E:\Program Files\kav.en.msi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"Creative Detector"="E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10]
"MSMSGS"="E:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverCD"="D:\Run.exe" []
"IAAnotif"="E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 11:47]
"GBB36X Configure"="E:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 08:46]
"CTHelper"="CTHELPER.EXE" [2005-08-08 06:10 E:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-08 06:10 E:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="E:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"StartCCC"="E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"EPGServiceTool"="E:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe" [2007-08-01 04:26]
"AVP"="E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
"NapsterShell"="E:\Program Files\Napster\napster.exe" [2007-01-12 19:36]
"NeroFilterCheck"="E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57]
"NBKeyScan"="E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21]
"SpySweeper"="E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00]

R2 EPGService;EPGService;E:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe [2007-09-05 17:46]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-12-03 14:21]
R3 ha20x2k;Creative 20X HAL Driver;E:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-08 05:54]
R3 HCW99BDA;Hauppauge Nova-DT Dual DVB-T Tuner;E:\WINDOWS\system32\Drivers\hcw99bda.sys [2007-03-23 12:51]
R3 hcw99rc;Hauppauge Nova-DT IR Driver;E:\WINDOWS\system32\Drivers\hcw99rc.sys [2007-03-23 12:51]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;E:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 HauppaugeTVServer;HauppaugeTVServer;E:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 15:11]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 20:28:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 20:29:46







HIJackThis log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:28:35, on 28/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\Program Files\Napster\napster.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
E:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\WinTV\Ir.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\WINDOWS\system32\CTsvcCDA.EXE
E:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DriverCD] D:\Run.exe
O4 - HKLM\..\Run: [IAAnotif] "E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [GBB36X Configure] "E:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [EPGServiceTool] "E:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe"
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NapsterShell] "E:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [NeroFilterCheck] "E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = E:\Program Files\WinTV\Ir.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E115D08E-2E70-420D-97DA-019509972A55}: NameServer = 212.23.3.100,212.23.6.100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPGService - Hauppauge Computer Works - E:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - E:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - E:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6017 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 27 December 2007 - 06:53 PM

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

E:\WINDOWS\system32\ardCo01
E:\WINDOWS\mrofinu572.exe.tmp


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [E:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 sonic999

sonic999
  • Topic Starter

  • Validating
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 28 December 2007 - 07:23 AM

E:\WINDOWS\system32\ardCo01 moved successfully.
E:\WINDOWS\mrofinu572.exe.tmp moved successfully.

Created on 12292007_112019








SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/29/2007 at 11:58 AM

Application Version : 3.9.1008

Core Rules Database Version : 3369
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 00:17:29

Memory items scanned : 510
Memory threats detected : 0
Registry items scanned : 5067
Registry threats detected : 0
File items scanned : 22084
File threats detected : 2

Trojan.Downloader-Gen/BundleBase
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\INEWC01\INEWC011065.EXE.VIR
E:\_OTMOVEIT\MOVEDFILES\12292007_112019\WINDOWS\SYSTEM32\ARDCO01\ARDCO011065.EXE

#6 sonic999

sonic999
  • Topic Starter

  • Validating
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 28 December 2007 - 07:30 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:20, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\WINDOWS\system32\CTsvcCDA.EXE
E:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
E:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\Napster\napster.exe
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
E:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\WinTV\Ir.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\WINDOWS\system32\wpabaln.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DriverCD] D:\Run.exe
O4 - HKLM\..\Run: [IAAnotif] "E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [GBB36X Configure] "E:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [EPGServiceTool] "E:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe"
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NapsterShell] "E:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [NeroFilterCheck] "E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SpySweeper] E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = E:\Program Files\WinTV\Ir.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E115D08E-2E70-420D-97DA-019509972A55}: NameServer = 212.23.3.100,212.23.6.100
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPGService - Hauppauge Computer Works - E:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - E:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - E:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6109 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:20, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\WINDOWS\system32\CTsvcCDA.EXE
E:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
E:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\Napster\napster.exe
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
E:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\WinTV\Ir.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\WINDOWS\system32\wpabaln.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DriverCD] D:\Run.exe
O4 - HKLM\..\Run: [IAAnotif] "E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [GBB36X Configure] "E:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [EPGServiceTool] "E:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe"
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NapsterShell] "E:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [NeroFilterCheck] "E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SpySweeper] E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = E:\Program Files\WinTV\Ir.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E115D08E-2E70-420D-97DA-019509972A55}: NameServer = 212.23.3.100,212.23.6.100
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPGService - Hauppauge Computer Works - E:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - E:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - E:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6109 bytes





The computer seems to run just fine.

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 28 December 2007 - 07:52 AM

Your log is clean :thumbsup: ,please do the following:

Please double-click OTMoveIt.exe again to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users