Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Difficult To Remove Trojan


  • Please log in to reply
5 replies to this topic

#1 hooligan_69

hooligan_69

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 28 December 2007 - 08:01 PM

Hi
New member here. I have some kind of virus that keeps shutting down windows explorer and seriously slowing up my computer. It also wont allow me to update xp. I can't seem to get rid of it. I've used my Sophos to try and get rid of it, but it keeps coming back with an error saying it can't access the file. Stinger can't find it nor can micorsoft malicious software removal tool. I've also tried vundofix ver 6.7 and sdfix, but the virus keeps coming back. Please help, posted is my HijackThis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:42:26, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Quetec\pctwpasv.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
C:\Program Files\Quetec\Configuration\SoftAp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\user\Desktop\stinger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SoftAP] C:\Program Files\Quetec\NetCfgWizard.exe /U
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Quetec Manager] "C:\Program Files\Quetec\Configuration\SoftAp.exe" /M
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoftAP WPA Authenticator Service (PCTWPASV) - PCTEL Inc. - C:\Program Files\Quetec\pctwpasv.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 4780 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 29 December 2007 - 07:41 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum hooligan_69
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.
If you run Hijackthis from the desktop, the files it removes will not be backed up properly.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


Please disable Spybot S&Dís protection,or it will interfere.
You can enable it after you're clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\HJT\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 hooligan_69

hooligan_69
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 29 December 2007 - 10:01 AM

Hi Richie

Many thanks for the combofix. The task bar and explorer have finally stopped disappearing on me. My computer though still slower than usual is working properly again. Posted below are my HijackThis log and Combofix logs as requested.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:56:21, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Quetec\pctwpasv.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Quetec\Configuration\SoftAp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis\hjt.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SoftAP] C:\Program Files\Quetec\NetCfgWizard.exe /U
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Quetec Manager] "C:\Program Files\Quetec\Configuration\SoftAp.exe" /M
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoftAP WPA Authenticator Service (PCTWPASV) - PCTEL Inc. - C:\Program Files\Quetec\pctwpasv.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 4900 bytes

ComboFix 07-12-29.5 - user 2007-12-29 14:15:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.198 [GMT 0:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adeeg.ini
C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\test.dll
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\xxywtsr.dll
C:\WINDOWS\system32\yybeg.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 13:40 . 2007-12-29 13:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 00:29 . 2007-12-29 00:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2007-12-28 23:06 . 2007-12-28 23:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-28 23:01 . 2007-12-29 00:15 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2007-12-28 23:00 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-28 23:00 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-12-28 23:00 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-28 23:00 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-12-28 23:00 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-28 22:59 . 2007-12-28 22:59 <DIR> d-------- C:\Program Files\Sygate
2007-12-28 22:59 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-28 22:59 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-28 22:58 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-28 22:55 . 2007-12-28 22:55 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-28 21:15 . 2007-12-28 22:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 17:38 . 2007-12-28 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-28 17:36 . 2007-12-29 04:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 19:04 . 2007-12-27 19:04 <DIR> d-------- C:\Program Files\TVAnts
2007-12-24 18:23 . 2007-12-24 18:23 25 --a------ C:\WINDOWS\cdplayer.ini
2007-12-24 17:37 . 2007-12-27 19:22 <DIR> d-------- C:\Program Files\SopCast
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\TVU Networks
2007-12-24 17:01 . 2007-12-24 17:03 <DIR> d-------- C:\Program Files\TVUPlayer
2007-12-24 16:13 . 2007-12-24 16:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 00:50 . 2007-12-28 20:57 <DIR> d-------- C:\VundoFix Backups
2007-12-21 00:22 . 2007-12-27 05:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-19 23:26 . 2007-12-19 23:26 <DIR> d-------- C:\Program Files\Port Explorer
2007-12-19 22:25 . 2007-12-19 22:25 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-18 21:55 . 2007-12-18 22:00 45 --a------ C:\WINDOWS\msgtn.ini
2007-12-18 21:51 . 2006-04-20 11:51 359,808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.old
2007-12-18 21:50 . 2007-12-19 19:35 <DIR> d-------- C:\Documents and Settings\user\Application Data\ppstream
2007-12-16 03:02 . 2007-12-16 03:02 <DIR> d-------- C:\WINDOWS\Sun
2007-12-11 22:34 . 2007-12-11 22:34 1,044,480 --a--c--- C:\WINDOWS\system32\libdivx.dll
2007-12-11 22:34 . 2007-12-11 22:34 200,704 --a--c--- C:\WINDOWS\system32\ssldivx.dll
2007-12-11 21:32 . 2007-12-12 03:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-11 21:23 . 2007-12-11 21:23 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-11 21:21 . 2007-12-11 21:21 <DIR> d-------- C:\Program Files\Real
2007-12-11 21:20 . 2007-12-11 21:23 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-11 20:44 . 2007-12-11 21:41 <DIR> d-------- C:\WINDOWS\uninstall
2007-12-11 20:22 . 2007-12-11 20:22 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-11 20:10 . 2007-12-11 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2007-12-11 20:08 . 2007-12-11 20:08 2,046 --a------ C:\lma_log.html
2007-12-11 20:07 . 2007-12-15 16:18 1,105 --a------ C:\log.html
2007-12-11 19:44 . 2007-12-11 19:44 <DIR> d-------- C:\Program Files\MSBuild
2007-12-11 19:37 . 2007-12-11 19:37 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-11 19:36 . 2007-12-11 19:36 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-11 19:34 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-11 19:32 . 2007-12-11 19:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-11 19:27 . 2007-12-11 19:27 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-11 19:27 . 2007-12-11 19:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-11 19:18 . 2007-12-28 22:58 1,413 --a------ C:\WINDOWS\mozver.dat
2007-12-11 19:11 . 2007-12-11 19:13 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-11 17:30 . 2007-12-11 17:30 <DIR> d-------- C:\Documents and Settings\user\Application Data\Talkback
2007-12-11 17:29 . 2007-12-11 17:29 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-10 20:12 . 2007-12-10 20:12 <DIR> d-------- C:\Program Files\Quetec
2007-12-10 01:02 . 2004-08-03 22:31 132,695 --a------ C:\WINDOWS\system32\drivers\NetWlan5.sys
2007-12-10 01:02 . 2004-08-03 22:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2007-12-10 01:02 . 2004-07-17 11:35 67,866 --a------ C:\WINDOWS\system32\drivers\NetWlan5.img
2007-12-04 12:39 . 2007-12-09 23:39 249,856 --a------ C:\WINDOWS\system32\DelRT.exe
2007-12-04 12:39 . 2004-09-09 22:30 212,096 --a------ C:\WINDOWS\system32\drivers\rt2500.sys
2007-12-04 12:39 . 2003-09-01 10:51 86,016 --a------ C:\WINDOWS\system32\Installrt2500qa.dll
2007-12-04 12:39 . 2002-05-24 09:44 36,864 --a------ C:\WINDOWS\system32\WRLSetup.exe
2007-12-04 12:39 . 2004-06-15 11:26 122 --a------ C:\WINDOWS\filespecrt2500qa
2007-11-30 18:27 . 2007-11-30 18:31 <DIR> d-------- C:\Documents and Settings\user\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 04:30 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2007-12-28 22:58 --------- d-----w C:\Program Files\Java
2007-12-28 17:38 --------- d-----w C:\Program Files\Lavasoft
2007-12-27 05:43 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2007-12-24 15:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-12-24 15:35 --------- d-----w C:\Program Files\A1Click Ultra PC Cleaner
2007-12-21 02:56 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2007-12-19 19:35 --------- d-----w C:\Program Files\MSN Messenger
2007-12-19 01:16 --------- d-----w C:\Program Files\DivX
2007-12-18 15:01 --------- d-----w C:\Program Files\WinAce
2007-12-18 01:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 12:39 --------- d-----w C:\Program Files\RALINK
2007-11-28 21:36 --------- d-----w C:\Documents and Settings\user\Application Data\Leadertech
2007-11-28 03:06 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-27 19:23 --------- d-----w C:\Program Files\LimeWire
2007-11-27 18:43 --------- d-----w C:\Program Files\Sophos
2007-11-27 18:43 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2007-11-27 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sophos
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Quetec Manager"="C:\Program Files\Quetec\Configuration\SoftAp.exe" [2004-08-03 16:28]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-06 10:37 C:\WINDOWS\SOUNDMAN.EXE]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe" [2006-12-20 15:27]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"SoftAP"="C:\Program Files\Quetec\NetCfgWizard.exe" [2004-08-03 16:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 09:36 256576 --a--c--- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a--c--- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2007-09-10 12:09]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2007-09-10 12:08]
R2 NTPrime;NTPrime;C:\WINDOWS\system32\drivers\NTPrime.sys [2003-10-21 09:32]
R2 PCTWPASV;SoftAP WPA Authenticator Service;"C:\Program Files\Quetec\pctwpasv.exe" [2004-07-21 15:59]
R3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PCTINDIS5.SYS [2004-03-08 16:51]
R3 TDWXP;WavePlus 802.11b Wireless PCI/PCMCIA Card Driver;C:\WINDOWS\system32\DRIVERS\wpndis51.sys [2004-08-03 16:24]
S3 bfastfao;bfastfao;C:\DOCUME~1\user\LOCALS~1\Temp\bfastfao.sys []
S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 16:32]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\NetWlan5.sys [2004-08-03 22:31]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-01-04 17:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa6c216-b0a9-11db-acb0-101111111111}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
.
Completion time: 2007-12-29 14:39:05 - machine was rebooted
.
2007-12-12 22:36:26 --- E O F ---

Sincerest thanks
The Hooligan ;)

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 29 December 2007 - 10:34 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 hooligan_69

hooligan_69
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 29 December 2007 - 05:23 PM

Hi

Things seem to be back to normal at last. Thanks ever so much for your assistance. Below are the HijackThis log and the SUPERAntiSpyware log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:15:59, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Quetec\pctwpasv.exe
C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Quetec\Configuration\SoftAp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis\hjt.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SoftAP] C:\Program Files\Quetec\NetCfgWizard.exe /U
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Quetec Manager] "C:\Program Files\Quetec\Configuration\SoftAp.exe" /M
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoftAP WPA Authenticator Service (PCTWPASV) - PCTEL Inc. - C:\Program Files\Quetec\pctwpasv.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 4852 bytes


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/29/2007 at 09:53 PM

Application Version : 3.9.1008

Core Rules Database Version : 3370
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 01:01:15

Memory items scanned : 414
Memory threats detected : 0
Registry items scanned : 5909
Registry threats detected : 4
File items scanned : 28736
File threats detected : 5

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{48DECA5A-10E2-4055-BA30-88B2EC25EFCE}
HKCR\CLSID\{48DECA5A-10E2-4055-BA30-88B2EC25EFCE}
HKCR\CLSID\{48DECA5A-10E2-4055-BA30-88B2EC25EFCE}\InprocServer32
HKCR\CLSID\{48DECA5A-10E2-4055-BA30-88B2EC25EFCE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDA.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EBD7A2E3-8DEA-46E6-9A5E-EFF408B101FB}\RP2\A0000012.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EBD7A2E3-8DEA-46E6-9A5E-EFF408B101FB}\RP2\A0000004.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EBD7A2E3-8DEA-46E6-9A5E-EFF408B101FB}\RP2\A0000011.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EBD7A2E3-8DEA-46E6-9A5E-EFF408B101FB}\RP2\A0000107.DLL


Thanks a billion
Happy New year from The Hooligan ;)

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 29 December 2007 - 06:28 PM

Your log is clean :thumbsup: ,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users