Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt & Combofix Log


  • This topic is locked This topic is locked
5 replies to this topic

#1 i555007

i555007

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 26 December 2007 - 07:36 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:29 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {C1C13E49-440C-49A2-9BA7-43ECDD865C03} - C:\Program Files\Internet Explorer\hokel83122.dll (file missing)
O2 - BHO: (no name) - {DBD6C166-E09D-471A-8A13-B9EDA7FEBB9F} - C:\Program Files\Internet Explorer\hokel4444.dll (file missing)
O2 - BHO: 0 - {DD4333C2-4C71-48C0-5EBC-5F71DE85A4CA} - C:\Program Files\Windows Media Player\lavufat631.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1195611583112
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1195611532369
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

--
End of file - 4779 bytes
__________________________________________________________________________________________________


<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

__________________________________________________________________________________________________

ComboFix 07-12-27.1 - Jeremy 2007-12-26 15:39:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -6:00]
Running from: C:\Documents and Settings\Jeremy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\curity~1
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\iifgfee.dll
C:\WINDOWS\system32\ljjkiff.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\uvwxx.ini
C:\WINDOWS\SYSTEM32\uvwxx.ini2
C:\WINDOWS\system32\xxwvu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-26 02:26 . 2007-12-26 02:27 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-25 21:20 . 2007-12-26 12:44 2,104 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-25 18:44 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-25 18:42 . 2007-12-25 18:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 13:50 . 2007-12-25 13:50 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-25 13:42 . 2007-12-25 13:42 <DIR> d-------- C:\SOPHTEMP
2007-12-25 13:37 . 2007-12-25 13:38 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\AdwareAlert
2007-12-25 13:24 . 2007-12-25 13:24 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Viewpoint
2007-12-25 13:15 . 2007-12-25 13:16 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\SpywareBot
2007-12-25 01:27 . 2007-12-25 01:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-25 01:21 . 2007-12-25 20:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\to9
2007-12-25 01:21 . 2007-12-25 01:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\dj2
2007-12-25 01:21 . 2007-12-25 02:18 <DIR> d--hs---- C:\WINDOWS\SmVyZW15
2007-12-25 01:21 . 2007-12-26 00:19 <DIR> d-------- C:\Program Files\xxx
2007-12-25 01:21 . 2007-12-25 01:21 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2007-12-25 01:20 . 2007-12-25 01:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo01
2007-12-25 01:20 . 2007-12-25 01:21 <DIR> d-------- C:\Temp\cEeer12
2007-12-25 01:20 . 2007-12-27 15:45 <DIR> d-------- C:\Temp
2007-11-30 12:03 . 2007-11-30 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 18:03 59,240 ----a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 08:23 --------- d--h--w C:\Documents and Settings\Jeremy\Application Data\Move Networks
2007-12-26 00:44 --------- d-----w C:\Program Files\Java
2007-12-25 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 06:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1C13E49-440C-49A2-9BA7-43ECDD865C03}]
C:\Program Files\Internet Explorer\hokel83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBD6C166-E09D-471A-8A13-B9EDA7FEBB9F}]
C:\Program Files\Internet Explorer\hokel4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD4333C2-4C71-48C0-5EBC-5F71DE85A4CA}]
C:\Program Files\Windows Media Player\lavufat631.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-08-20 20:24]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\SYSTEM32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 07:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-01-04 11:50 405583 --a------ C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2002-04-26 13:01 34816 --a------ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

S1 xxx;xxx;C:\WINDOWS\system32\drivers\core.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Desktop#E]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-25 19:37:59 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert.JeremyWRuns AdwareAlert to scan your computer for malicious and potenially unwanted programs.
"2007-12-26 08:00:28 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot.JeremyVRuns SpywareBot to scan your computer for malicious and potenially unwanted programs.
"2007-12-27 21:49:06 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-26 08:27:03 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 15:49:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-12-27 15:51:45 - machine was rebooted

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 27 December 2007 - 07:58 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum i555007
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed,which is somewhat suicidal.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 i555007

i555007
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 28 December 2007 - 01:46 PM

Thanks for your help Richie

I’m not a big a fan of running virus protection all the time, it causes more problems then just dealing with a virus
once or twice a year.

Also antivirus/ mail ware scanners are a scam my current infection is caused by people that get paid by those program developers.







AntiVir PersonalEdition Classic
Report file date: Friday, December 28, 2007 14:41

Scanning for 993853 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: LAPTOP

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 20:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 19:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 22:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 19:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 21:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 20:39:40
ANTIVIR2.VDF : 7.0.1.157 286720 Bytes 12/26/2007 20:39:40
ANTIVIR3.VDF : 7.0.1.164 19456 Bytes 12/27/2007 20:39:40
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 12/28/2007 20:39:41
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 17:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 14:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 20:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 12/28/2007 20:39:41
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 14:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 19:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 14:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 18:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 19:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 19:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 16:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, December 28, 2007 14:41

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'WINWORD.EXE' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process '1XConfig.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '23' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\!update.exe.bac_a03648
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\A0122180.exe.bac_a03648
[DETECTION] Is the Trojan horse TR/Dldr.CWS.gen.2
[INFO] The file was deleted!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\A0122181.exe.bac_a03648
[DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199
[INFO] The file was deleted!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\A0122182.exe.bac_a03648
[DETECTION] Is the Trojan horse TR/BHO.AB.4
[INFO] The file was deleted!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\A0122230.exe.bac_a03648
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47a66071.qua'!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\A0122371.exe.bac_a03648
[DETECTION] Is the Trojan horse TR/BHO.AB.4
[INFO] The file was deleted!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\lavufat.dll.bac_a03648
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was moved to '47eb60cb.qua'!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\lavufat125.dll.bac_a03648
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was moved to '4695909c.qua'!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\lavufat288.dll.bac_a03648
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was moved to '47eb60cc.qua'!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\lavufat631.dll.bac_a03648
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was moved to '4695909d.qua'!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\Setup.exe.bac_a01800
[DETECTION] Contains detection pattern of the worm WORM/Rbot.174080
[INFO] The file was moved to '47e960dd.qua'!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\tk58.exe.bac_a03648
[DETECTION] Is the Trojan horse TR/BHO.AB.4
[INFO] The file was moved to '47aa60e5.qua'!
C:\Documents and Settings\Jeremy\.housecall6.6\Quarantine\v.tmp.bac_a01800
[DETECTION] Contains detection pattern of the worm WORM/Rbot.174080
[INFO] The file was moved to '47e960a9.qua'!
C:\qoobox\Quarantine\catchme2007-12-27_154916.91.zip
[0] Archive type: ZIP
--> core.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> xxwvu.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '47e965c5.qua'!
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ljjkiff.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '47df65cf.qua'!
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\xxwvu.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '47ec65dd.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000014.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '47a5659e.qua'!
C:\WINDOWS\mrofinu572.exe.tmp
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47e4660c.qua'!
C:\WINDOWS\SYSTEM32\dj2\axebmbrpl6.exe
[DETECTION] Is the Trojan horse TR/Pakes.bvs
[INFO] The file was moved to '47da6888.qua'!


End of the scan: Friday, December 28, 2007 15:19
Used time: 37:38 min

The scan has been done completely.

4488 Scanning directories
207246 Files were scanned
19 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
5 files were deleted
0 files were repaired
14 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
207227 Files not concerned
3218 Archives were scanned
1 Warnings
0 Notes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



ComboFix 07-12-27.1 - Jeremy 2007-12-29 12:31:13.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.291 [GMT -6:00]
Running from: C:\Documents and Settings\Jeremy\Desktop\spy\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-28 14:36 . 2007-12-28 14:36 <DIR> d-------- C:\Program Files\Avira
2007-12-28 14:36 . 2007-12-28 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-26 02:26 . 2007-12-26 02:27 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-25 21:20 . 2007-12-26 12:44 2,104 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-25 18:44 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-25 18:42 . 2007-12-25 18:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 13:50 . 2007-12-25 13:50 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-25 13:42 . 2007-12-25 13:42 <DIR> d-------- C:\SOPHTEMP
2007-12-25 13:37 . 2007-12-25 13:38 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\AdwareAlert
2007-12-25 13:24 . 2007-12-25 13:24 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Viewpoint
2007-12-25 13:15 . 2007-12-25 13:16 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\SpywareBot
2007-12-25 01:27 . 2007-12-25 01:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-25 01:21 . 2007-12-25 20:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\to9
2007-12-25 01:21 . 2007-12-28 15:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\dj2
2007-12-25 01:21 . 2007-12-25 02:18 <DIR> d--hs---- C:\WINDOWS\SmVyZW15
2007-12-25 01:21 . 2007-12-26 00:19 <DIR> d-------- C:\Program Files\xxx
2007-12-25 01:20 . 2007-12-25 01:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo01
2007-12-25 01:20 . 2007-12-25 01:21 <DIR> d-------- C:\Temp\cEeer12
2007-12-25 01:20 . 2007-12-27 15:45 <DIR> d-------- C:\Temp
2007-11-30 12:03 . 2007-11-30 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 18:03 59,240 ----a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 08:23 --------- d--h--w C:\Documents and Settings\Jeremy\Application Data\Move Networks
2007-12-26 00:44 --------- d-----w C:\Program Files\Java
2007-12-25 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 06:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((( snapshot@2007-12-27_15.51.06.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-09 19:04:11 40,768 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys
+ 2007-07-18 20:22:19 21,312 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntmgr.sys
+ 2007-12-28 20:39:41 61,632 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys
+ 2007-03-01 16:34:36 28,352 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1C13E49-440C-49A2-9BA7-43ECDD865C03}]
C:\Program Files\Internet Explorer\hokel83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBD6C166-E09D-471A-8A13-B9EDA7FEBB9F}]
C:\Program Files\Internet Explorer\hokel4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD4333C2-4C71-48C0-5EBC-5F71DE85A4CA}]
C:\Program Files\Windows Media Player\lavufat631.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-08-20 20:24]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\SYSTEM32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 07:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-01-04 11:50 405583 --a------ C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2002-04-26 13:01 34816 --a------ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

S1 xxx;xxx;C:\WINDOWS\system32\drivers\core.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Desktop#E]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
"2007-12-25 19:37:59 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
- C:\Program Files\AdwareAlert
"2007-12-26 08:00:28 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot.JeremyVRuns SpywareBot to scan your computer for malicious and potenially unwanted programs.
"2007-12-29 04:39:45 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-26 08:27:03 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 12:33:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-29 12:34:46
C:\ComboFix2.txt ... 2007-12-27 15:51

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 28 December 2007 - 03:47 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
Folder::
C:\Documents and Settings\Jeremy\Application Data\Viewpoint
C:\Documents and Settings\Jeremy\Application Data\SpywareBot
C:\WINDOWS\SYSTEM32\to9
C:\WINDOWS\SYSTEM32\dj2
C:\WINDOWS\SmVyZW15
C:\Program Files\xxx
C:\WINDOWS\SYSTEM32\ardCo01
C:\Temp\cEeer12
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1C13E49-440C-49A2-9BA7-43ECDD865C03}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBD6C166-E09D-471A-8A13-B9EDA7FEBB9F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD4333C2-4C71-48C0-5EBC-5F71DE85A4CA}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
Driver::
xxx

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 i555007

i555007
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 31 December 2007 - 02:00 PM

What are all the “extra buttons” on the HJT log for, toolbar add-ons? I don’t install them.



ComboFix 07-12-27.1 - Jeremy 2007-12-31 22:44:54.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.279 [GMT -6:00]
Running from: C:\Documents and Settings\Jeremy\Desktop\spy\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeremy\Desktop\spy\cfscript.txt
* Created a new restore point

FILE
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9\FLFBootStrap.mtx
C:\Documents and Settings\Jeremy\Application Data\SpywareBot
C:\Documents and Settings\Jeremy\Application Data\SpywareBot\Log\2007 Dec 26 - 02_00_28 AM_598.log
C:\Documents and Settings\Jeremy\Application Data\SpywareBot\rs.dat
C:\Documents and Settings\Jeremy\Application Data\SpywareBot\Settings\ScanResults.pie
C:\Documents and Settings\Jeremy\Application Data\Viewpoint
C:\Documents and Settings\Jeremy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-2050836311.mtj&p2=1&p3=11693694404140051614814804618703&p4=50335392
C:\Documents and Settings\Jeremy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\Jeremy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\Jeremy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\Jeremy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\Jeremy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\Program Files\xxx
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\WINDOWS\SmVyZW15
C:\WINDOWS\SYSTEM32\ardCo01
C:\WINDOWS\SYSTEM32\ardCo01\ardCo011065.exe
C:\WINDOWS\SYSTEM32\dj2
C:\WINDOWS\SYSTEM32\to9
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\xxx


((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2007-12-28 14:36 . 2007-12-28 14:36 <DIR> d-------- C:\Program Files\Avira
2007-12-28 14:36 . 2007-12-28 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-26 02:26 . 2007-12-26 02:27 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-25 21:20 . 2007-12-26 12:44 2,104 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-25 18:44 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-25 18:42 . 2007-12-25 18:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 13:50 . 2007-12-25 13:50 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-25 13:42 . 2007-12-25 13:42 <DIR> d-------- C:\SOPHTEMP
2007-12-25 13:37 . 2007-12-25 13:38 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\AdwareAlert
2007-12-25 01:27 . 2007-12-25 01:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-25 01:20 . 2007-12-31 22:47 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 18:03 59,240 ----a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 08:23 --------- d--h--w C:\Documents and Settings\Jeremy\Application Data\Move Networks
2007-12-26 00:44 --------- d-----w C:\Program Files\Java
2007-12-25 06:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-30 18:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
.

((((((((((((((((((((((((((((( snapshot@2007-12-27_15.51.06.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-09 19:04:11 40,768 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys
+ 2007-07-18 20:22:19 21,312 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntmgr.sys
+ 2007-12-28 20:39:41 61,632 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys
+ 2007-03-01 16:34:36 28,352 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-08-20 20:24]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\SYSTEM32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-28 23:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 07:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-01-04 11:50 405583 --a------ C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2002-04-26 13:01 34816 --a------ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Desktop#E]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 09:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
- C:\Program Files\AdwareAlert
"2008-01-01 04:48:58 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-26 08:27:03 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 22:49:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 22:51:00 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-29 12:34
C:\ComboFix3.txt ... 2007-12-27 15:51


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:04 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1195611583112
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1195611532369
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

--
End of file - 4422 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 31 December 2007 - 02:49 PM

Your log is clean :thumbsup:

You've uninstalled your virus protection 'Avira',thats entirely up to you but i have to say i cannot understand your line of thought,i'll say no more on the matter.

Please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Edited by RichieUK, 31 December 2007 - 02:50 PM.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users