Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Geeba.exe - Hijackthis Log


  • Please log in to reply
7 replies to this topic

#1 Slacky07

Slacky07

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 27 December 2007 - 05:50 AM

Hi There,

Recently my computer seems to be having issues when closing down windows that have popped-up, or been opened up (such as right click, open link in new window). I ran a full AVG Scan and it found and fixed a few problems, but the issue is still there.

When my PC starts I get an error message saying that geeba.exe file is missing, but you can just click on OK and it goes away. But then sometimes when closing down popups, the bottom bar of my screen (with windows start button on it) dissapears for a few seconds, reappears then AVG alerts you that a threat has been found (something like Trojan Horse Generic Dropper, Geeba.exe).

I would be very grateful for any help.

Below is my HijackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:33, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\AVGANT~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Programs\AdAware\aawservice.exe
D:\XAMPP\apache\bin\apache.exe
D:\Programs\AVGANT~1\avgamsvr.exe
D:\Programs\AVGANT~1\avgupsvc.exe
D:\Programs\AVGANT~1\avgemc.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\XAMPP\apache\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F3 - REG:win.ini: load=C:\WINDOWS\system32\geeba.exe
O4 - HKLM\..\Run: [nTrayFw] D:\Programs\MOTHER~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\Programs\AVGANT~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programs\AdobeReader\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitTorrent] "D:\Programs\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\Programs\AVGANT~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\AdAware\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - D:\XAMPP\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: (no name) - http://www.ambervalley.gov.uk/AVBC/core/im...leIcons/pdf.gif

--
End of file - 5474 bytes

BC AdBot (Login to Remove)

 


#2 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:11:00 AM

Posted 03 January 2008 - 11:48 AM

Hi Slacky07

I will be helping you with your problems.

Navigate to:

C:\Program Files\Trend Micro\HijackThis

Then locate Hijackthis.exe and right click on it and select rename.

Rename it to Slacky07 and then run it and post a fresh log in your next reply.

NOTE: You may need to set your system to show all files. If so follow this next step:

Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

DC

#3 Slacky07

Slacky07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 03 January 2008 - 04:56 PM

Hi DC, thanks for the reply. Here is my new log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:35, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Programs\AVGANT~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Programs\AdobeReader\Reader\Reader_sl.exe
D:\Programs\AdAware\aawservice.exe
D:\XAMPP\apache\bin\apache.exe
D:\Programs\AVGANT~1\avgamsvr.exe
D:\Programs\AVGANT~1\avgupsvc.exe
D:\Programs\AVGANT~1\avgemc.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\XAMPP\apache\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Slacky07.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F3 - REG:win.ini: load=C:\WINDOWS\system32\geeba.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {6A782806-15EE-46B7-8049-F9A3FEE2B3DF} - C:\WINDOWS\system32\geeba.dll (file missing)
O2 - BHO: (no name) - {6F7AA76F-F3D2-4FBF-8DAE-6BAD5ABD5BF8} - C:\Program Files\ComPlus Applications\hoketC:\WINDOWS\system32\vmi4\parreo83122.exe.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} - C:\WINDOWS\system32\yaywuuu.dll (file missing)
O4 - HKLM\..\Run: [nTrayFw] D:\Programs\MOTHER~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\Programs\AVGANT~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programs\AdobeReader\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitTorrent] "D:\Programs\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\Programs\AVGANT~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: yaywuuu - yaywuuu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\AdAware\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - D:\XAMPP\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: (no name) - http://www.ambervalley.gov.uk/AVBC/core/im...leIcons/pdf.gif

--
End of file - 6337 bytes

#4 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:11:00 AM

Posted 04 January 2008 - 12:34 PM

Hi Slacky07

***Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


DC

#5 Slacky07

Slacky07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 05 January 2008 - 05:45 AM

Hi DC, see below my ComboFix.txt log followed by a new Hijack this log...

ComboFix 08-01-04.1 - Richard 2008-01-05 10:33:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1186 [GMT 0:00]
Running from: C:\Documents and Settings\Richard\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX1A.tmp
C:\WINDOWS\system32\RCX1B.tmp
C:\WINDOWS\system32\RCX1C.tmp

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-03 16:54 . 2008-01-04 14:57 <DIR> d-------- C:\Documents and Settings\Richard\Application Data\gtk-2.0
2008-01-03 16:54 . 2008-01-03 16:54 <DIR> d-------- C:\Documents and Settings\Richard\.thumbnails
2008-01-03 16:54 . 2008-01-04 14:59 <DIR> d-------- C:\Documents and Settings\Richard\.gimp-2.4
2007-12-30 12:25 . 2007-12-30 12:25 3,584 --a------ C:\WINDOWS\system32\geeba.exe
2007-12-27 10:49 . 2007-12-27 10:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 10:41 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-27 10:27 . 2007-12-27 10:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-27 10:27 . 2007-12-27 10:27 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-27 10:27 . 2007-12-27 10:27 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-23 16:24 . 2007-12-23 16:24 <DIR> d-------- C:\Documents and Settings\Richard\Application Data\PrevxCSI
2007-12-23 16:24 . 2007-12-23 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-22 10:30 . 2007-12-23 14:37 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 00:05 . 2007-12-22 00:05 <DIR> d-------- C:\WINDOWS\system32\vmi4
2007-12-22 00:05 . 2007-12-22 00:05 <DIR> d-------- C:\WINDOWS\system32\lab2
2007-12-22 00:05 . 2007-12-22 00:05 <DIR> d-------- C:\WINDOWS\system32\elmo1
2007-12-22 00:05 . 2007-12-22 00:05 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2007-12-22 00:05 . 2007-12-22 00:05 <DIR> d-------- C:\Temp\cEeer12
2007-12-22 00:05 . 2008-01-05 10:36 <DIR> d-------- C:\Temp
2007-12-20 16:15 . 2007-12-20 16:15 <DIR> d-------- C:\DustMiteHelp 2012
2007-12-17 12:53 . 2007-12-28 11:50 <DIR> d-------- C:\Documents and Settings\Richard\Application Data\FileZilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 10:31 --------- d-----w C:\Documents and Settings\Richard\Application Data\AVG7
2007-12-20 12:03 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-17 07:47 --------- d-----w C:\Documents and Settings\Richard\Application Data\LimeWire
2007-12-11 19:02 --------- d-----w C:\Documents and Settings\Richard\Application Data\GetRightToGo
2007-12-01 09:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-01 09:53 --------- d-----w C:\Documents and Settings\Richard\Application Data\InstallShield
2007-11-30 10:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-27 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-27 19:23 --------- d-----w C:\Program Files\Common Files\Merge Modules
2007-11-27 19:22 --------- d-----w C:\Program Files\Microsoft.NET
2007-11-18 15:51 --------- d-----w C:\Documents and Settings\Richard\Application Data\MySQL
2007-11-11 11:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-10 12:10 73,664 ----a-w C:\Documents and Settings\Richard\Application Data\GDIPFONTCACHEV1.DAT
2007-11-09 18:03 22,328 ----a-w C:\Documents and Settings\Richard\Application Data\PnkBstrK.sys
.
<pre>
----a-w			90,112 2007-12-23 14:37:28  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w		   582,656 2007-12-23 14:37:23  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM  .exe
----a-w		   582,656 2007-12-22 16:05:46  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w			49,152 2007-12-23 14:37:25  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
----a-w		   241,664 2007-12-23 14:37:24  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		 1,667,584 2007-12-23 14:37:31  C:\Program Files\Messenger\msmsgs .exe
----a-w			15,360 2007-12-23 14:37:27  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A782806-15EE-46B7-8049-F9A3FEE2B3DF}]
C:\WINDOWS\system32\geeba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F7AA76F-F3D2-4FBF-8DAE-6BAD5ABD5BF8}]
C:\Program Files\ComPlus Applications\hoketC:\WINDOWS\system32\vmi4\parreo83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"Steam"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [ ]
"BitTorrent"="D:\Programs\BitTorrent\bittorrent.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="D:\Programs\MOTHER~1\NETWOR~1\bin\nTrayFw.exe" [ ]
"AVG7_CC"="D:\Programs\AVGANT~1\avgcc.exe" [2007-12-21 14:08 579072]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 04:42 577536 C:\WINDOWS\soundman.exe]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"Adobe Reader Speed Launcher"="D:\Programs\AdobeReader\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [ ]
"AVG7_Run"="D:\Programs\AVGANT~1\avgw.exe" [2007-10-23 18:06 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywuuu]
yaywuuu.dll

R2 Apache2.2;Apache2.2;"D:\XAMPP\apache\bin\apache.exe" [2007-09-20 22:29]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 10:37:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 10:41:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 10:41:43
ComboFix2.txt 2007-08-07 19:30:59
ComboFix3.txt 2007-08-07 17:36:25


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:53, on 05/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Programs\AVGANT~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Programs\AdAware\aawservice.exe
D:\XAMPP\apache\bin\apache.exe
D:\Programs\AVGANT~1\avgamsvr.exe
D:\Programs\AVGANT~1\avgupsvc.exe
D:\Programs\AVGANT~1\avgemc.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\XAMPP\apache\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Slacky07.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {6A782806-15EE-46B7-8049-F9A3FEE2B3DF} - C:\WINDOWS\system32\geeba.dll (file missing)
O2 - BHO: (no name) - {6F7AA76F-F3D2-4FBF-8DAE-6BAD5ABD5BF8} - C:\Program Files\ComPlus Applications\hoketC:\WINDOWS\system32\vmi4\parreo83122.exe.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nTrayFw] D:\Programs\MOTHER~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\Programs\AVGANT~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programs\AdobeReader\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitTorrent] "D:\Programs\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\Programs\AVGANT~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: yaywuuu - yaywuuu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\AdAware\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - D:\XAMPP\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: (no name) - http://www.ambervalley.gov.uk/AVBC/core/im...leIcons/pdf.gif

--
End of file - 6093 bytes

#6 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:11:00 AM

Posted 07 January 2008 - 07:45 AM

Hi Slacky07

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\geeba.exe
C:\WINDOWS\system32\yaywuuu.dll

RENV::
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM  .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Messenger\msmsgs .exe
C:\WINDOWS\system32\ctfmon .exe

Folder::
C:\WINDOWS\system32\vmi4
C:\WINDOWS\system32\lab2
C:\WINDOWS\system32\elmo1
C:\WINDOWS\system32\ardCo01
C:\Temp\cEeer12

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A782806-15EE-46B7-8049-F9A3FEE2B3DF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F7AA76F-F3D2-4FBF-8DAE-6BAD5ABD5BF8}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywuuu]

IMPORTANT: The above script was written specifically for the infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Save this as CFScript.txt, in the same location as ComboFix.exe.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe.

This will start Combofix scanning.

When finished, please post the contents of the resultant log found at "C:\ComboFix.txt" along with a fresh Hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


DC

#7 Slacky07

Slacky07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 07 January 2008 - 10:13 AM

Thanks for the reply, here are the two new logs...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12:58, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\AdAware\aawservice.exe
D:\XAMPP\apache\bin\apache.exe
D:\Programs\AVGANT~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Programs\AVGANT~1\avgamsvr.exe
D:\Programs\AVGANT~1\avgupsvc.exe
D:\Programs\AVGANT~1\avgemc.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\XAMPP\apache\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Slacky07.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nTrayFw] D:\Programs\MOTHER~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\Programs\AVGANT~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programs\AdobeReader\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitTorrent] "D:\Programs\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\Programs\AVGANT~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\AdAware\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - D:\XAMPP\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\Programs\AVGANT~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\Programs\MOTHER~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\Programs\MOTHER~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: (no name) - http://www.ambervalley.gov.uk/AVBC/core/im...leIcons/pdf.gif

--
End of file - 5707 bytes


ComboFix 08-01-04.1 - Richard 2008-01-07 15:10:05.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1026 [GMT 0:00]
Running from: C:\Documents and Settings\Richard\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Richard\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\geeba.exe
C:\WINDOWS\system32\yaywuuu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\ardCo01\ardCo011065.exe
C:\WINDOWS\system32\elmo1
C:\WINDOWS\system32\geeba.exe
C:\WINDOWS\system32\lab2
C:\WINDOWS\system32\vmi4
C:\WINDOWS\system32\vmi4\parreo83122.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-03 16:54 . 2008-01-07 14:33 <DIR> d-------- C:\Documents and Settings\Richard\Application Data\gtk-2.0
2008-01-03 16:54 . 2008-01-03 16:54 <DIR> d-------- C:\Documents and Settings\Richard\.thumbnails
2008-01-03 16:54 . 2008-01-07 14:33 <DIR> d-------- C:\Documents and Settings\Richard\.gimp-2.4
2007-12-27 10:49 . 2007-12-27 10:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 10:41 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-27 10:27 . 2007-12-27 10:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-27 10:27 . 2007-12-27 10:27 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-27 10:27 . 2007-12-27 10:27 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-23 16:24 . 2007-12-23 16:24 <DIR> d-------- C:\Documents and Settings\Richard\Application Data\PrevxCSI
2007-12-23 16:24 . 2007-12-23 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-22 10:30 . 2007-12-23 14:37 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 00:05 . 2008-01-07 15:11 <DIR> d-------- C:\Temp
2007-12-20 16:15 . 2007-12-20 16:15 <DIR> d-------- C:\DustMiteHelp 2012
2007-12-17 12:53 . 2007-12-28 11:50 <DIR> d-------- C:\Documents and Settings\Richard\Application Data\FileZilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 10:31 --------- d-----w C:\Documents and Settings\Richard\Application Data\AVG7
2007-12-20 12:03 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-20 12:03 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-17 07:47 --------- d-----w C:\Documents and Settings\Richard\Application Data\LimeWire
2007-12-11 19:02 --------- d-----w C:\Documents and Settings\Richard\Application Data\GetRightToGo
2007-12-01 09:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-01 09:53 --------- d-----w C:\Documents and Settings\Richard\Application Data\InstallShield
2007-11-30 10:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-27 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-27 19:23 --------- d-----w C:\Program Files\Common Files\Merge Modules
2007-11-27 19:22 --------- d-----w C:\Program Files\Microsoft.NET
2007-11-18 15:51 --------- d-----w C:\Documents and Settings\Richard\Application Data\MySQL
2007-11-11 11:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-10 12:10 73,664 ----a-w C:\Documents and Settings\Richard\Application Data\GDIPFONTCACHEV1.DAT
2007-11-10 10:09 36,864 ----a-w C:\WINDOWS\system32\maplec.dll
2007-11-10 10:09 147,456 ----a-w C:\WINDOWS\system32\WMIMPLEX.dll
2007-11-10 08:36 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-11-09 18:03 22,328 ----a-w C:\Documents and Settings\Richard\Application Data\PnkBstrK.sys
.
<pre>
------w		   582,656 2007-12-23 14:37:23  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM  .exe
----a-w		   582,656 2007-12-22 16:05:46  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w			49,152 2007-12-23 14:37:25  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
----a-w		   241,664 2007-12-23 14:37:24  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		 1,667,584 2007-12-23 14:37:31  C:\Program Files\Messenger\msmsgs .exe
----a-w			15,360 2007-12-23 14:37:27  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"Steam"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2007-12-23 14:37 90112]
"BitTorrent"="D:\Programs\BitTorrent\bittorrent.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="D:\Programs\MOTHER~1\NETWOR~1\bin\nTrayFw.exe" [ ]
"AVG7_CC"="D:\Programs\AVGANT~1\avgcc.exe" [2007-12-21 14:08 579072]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 04:42 577536 C:\WINDOWS\soundman.exe]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"Adobe Reader Speed Launcher"="D:\Programs\AdobeReader\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [ ]
"AVG7_Run"="D:\Programs\AVGANT~1\avgw.exe" [2007-10-23 18:06 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

R2 Apache2.2;Apache2.2;"D:\XAMPP\apache\bin\apache.exe" [2007-09-20 22:29]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 15:11:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-07 15:11:58
ComboFix-quarantined-files.txt 2008-01-07 15:11:50
ComboFix2.txt 2008-01-05 10:41:45
ComboFix3.txt 2007-08-07 19:30:59
ComboFix4.txt 2007-08-07 17:36:25

#8 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:11:00 AM

Posted 08 January 2008 - 05:23 AM

Hi Slacky07

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

RENV::
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM  .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Messenger\msmsgs .exe
C:\WINDOWS\system32\ctfmon .exe

IMPORTANT: The above script was written specifically for the infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Save this as CFScript.txt, in the same location as ComboFix.exe.

Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe.

This will start Combofix scanning.

When finished, please post the contents of the resultant log found at "C:\ComboFix.txt" along with a fresh Hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Reboot into normal windows mode.

Please do an online scan with Kaspersky WebScanner with Internet Explorer.

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
DC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users