Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Background Downloading, Cutwail!, Chepvil!, Cutspeer Etc.


  • Please log in to reply
24 replies to this topic

#1 ohtehnoes

ohtehnoes

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 01 January 2008 - 03:30 AM

Click here for information and steps taken. I have downloaded Sygate Personal Firewall since then.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:35 PM, on 1/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0aa775a1-32fd-4836-94f6-84dfb8ac53f9} - C:\WINDOWS\system32\ncqeiqvg.dll (file missing)
O2 - BHO: (no name) - {403124B1-D7D3-46E7-A052-27FEC27323BE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {61487914-D87C-4993-A7EB-AF643E7F5B20} - (no file)
O2 - BHO: (no name) - {630DD7D9-76E6-4F05-9E9D-32CB4955EA72} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8603dbda-5537-47f2-b94f-e4d627b76262} - C:\WINDOWS\system32\leowvodp.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {b6011cc4-f7c3-4142-8e7a-6e44c86520cb} - C:\WINDOWS\system32\bjncudir.dll (file missing)
O2 - BHO: (no name) - {D2FC2316-2508-49B9-8884-9A616AD5D28B} - (no file)
O2 - BHO: (no name) - {D72C92D3-5CDE-42FD-B57D-BA2032761CAF} - (no file)
O2 - BHO: (no name) - {E83B8C54-E2EC-49F7-8AEC-305A2EB775F8} - (no file)
O2 - BHO: (no name) - {E9CBCD93-312A-45D6-94E4-1BE7110EBA71} - (no file)
O2 - BHO: (no name) - {f233eda9-f61b-4b31-af00-f25ddbe14e54} - C:\WINDOWS\system32\daduxpbu.dll (file missing)
O2 - BHO: (no name) - {f82174e5-caf5-42ad-a9ab-42cb9b9733e2} - C:\WINDOWS\system32\gigdrqba.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bdigital.com.au
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11F38F81-8C53-46A9-947A-1C097823BD0F}: NameServer = 203.194.27.57 203.194.56.150
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcywww - efcywww.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - Unknown owner - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6959 bytes


I'm sorry if I wasn't specific, but all the things in the thread above were too much to type over again, sorry. Thankyou, happy new year.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 09 January 2008 - 02:53 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are absolutely snowed under with logs.
If you still require help,please post a new Hijackthis log into your next reply.
Posted Image
Posted Image

#3 ohtehnoes

ohtehnoes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 10 January 2008 - 12:26 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:05 PM, on 10/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0aa775a1-32fd-4836-94f6-84dfb8ac53f9} - C:\WINDOWS\system32\ncqeiqvg.dll (file missing)
O2 - BHO: (no name) - {403124B1-D7D3-46E7-A052-27FEC27323BE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {61487914-D87C-4993-A7EB-AF643E7F5B20} - (no file)
O2 - BHO: (no name) - {630DD7D9-76E6-4F05-9E9D-32CB4955EA72} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8603dbda-5537-47f2-b94f-e4d627b76262} - C:\WINDOWS\system32\leowvodp.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {b6011cc4-f7c3-4142-8e7a-6e44c86520cb} - C:\WINDOWS\system32\bjncudir.dll (file missing)
O2 - BHO: (no name) - {D2FC2316-2508-49B9-8884-9A616AD5D28B} - (no file)
O2 - BHO: (no name) - {D72C92D3-5CDE-42FD-B57D-BA2032761CAF} - (no file)
O2 - BHO: (no name) - {E83B8C54-E2EC-49F7-8AEC-305A2EB775F8} - (no file)
O2 - BHO: (no name) - {E9CBCD93-312A-45D6-94E4-1BE7110EBA71} - (no file)
O2 - BHO: (no name) - {f233eda9-f61b-4b31-af00-f25ddbe14e54} - C:\WINDOWS\system32\daduxpbu.dll (file missing)
O2 - BHO: (no name) - {f82174e5-caf5-42ad-a9ab-42cb9b9733e2} - C:\WINDOWS\system32\gigdrqba.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bdigital.com.au
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11F38F81-8C53-46A9-947A-1C097823BD0F}: NameServer = 203.194.27.57 203.194.56.150
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcywww - efcywww.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - Unknown owner - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6960 bytes



I have done some things since the last log, so it might be slightly cleaner.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 10 January 2008 - 04:28 AM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.
Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 ohtehnoes

ohtehnoes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 13 January 2008 - 01:35 AM

I have run VundoFix before, but when I opened the log file again, it only showed the most recent one:


VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.11

Scan started at 3:51:26 PM 13/01/2008

Listing files found while scanning....

No infected files were found.



The reason that I was concerned I had Virtumonde is that Spybot Search and Destroy kept picking up traces of it over and over again:

Posted Image

It keeps coming back after I restart the computer, and VundoFix never seems to pick it up.

Here is the ComboFix log:

ComboFix 08-01-09.2 - Stevo 2008-01-13 16:32:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.180 [GMT 11:00]
Running from: C:\Documents and Settings\Stevo\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\aglybvpq.ini
C:\WINDOWS\system32\ajhcgbef.ini
C:\WINDOWS\system32\bdauiktx.ini
C:\WINDOWS\system32\dcgqyatr.ini
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\fhimwrfr.ini
C:\WINDOWS\system32\icoemqft.ini
C:\WINDOWS\system32\jkljlpwj.ini
C:\WINDOWS\system32\jnqknkwe.ini
C:\WINDOWS\system32\jwpljlkj.dll
C:\WINDOWS\system32\kjnyhnpl.ini
C:\WINDOWS\system32\nbgcnygm.ini
C:\WINDOWS\system32\oimbqkwo.ini
C:\WINDOWS\system32\phujsjlg.ini
C:\WINDOWS\system32\rohsvfwm.ini
C:\WINDOWS\system32\tqmidomp.ini
C:\WINDOWS\system32\uqpvbcek.ini
C:\WINDOWS\system32\uvwnirfn.ini
C:\WINDOWS\system32\vigqjlse.ini
C:\WINDOWS\system32\wwpytgme.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\smtpdrv


((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 16:44 . 2008-01-13 16:44 0 --a------ C:\WINDOWS\system32\3_exception.nls
2008-01-13 16:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 15:51 . 2008-01-13 15:51 <DIR> d-------- C:\VundoFix Backups
2008-01-12 20:51 . 2008-01-13 16:44 <DIR> d-------- C:\Program Files\Steam
2008-01-03 22:42 . 2008-01-03 22:42 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\Microsoft Web Folders
2008-01-03 15:59 . 2008-01-03 20:36 <DIR> d-------- C:\Documents and Settings\Stevo\.housecall6.6
2008-01-02 20:41 . 2008-01-02 22:57 <DIR> d-------- C:\Documents and Settings\default\Shared
2008-01-02 20:41 . 2008-01-02 22:57 <DIR> d-------- C:\Documents and Settings\default\Incomplete
2008-01-02 20:40 . 2008-01-02 23:03 <DIR> d-------- C:\Documents and Settings\default\Application Data\LimeWire
2008-01-01 18:27 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-01 18:27 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-01 18:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-01 18:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-01 18:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-01 18:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-01 18:26 . 2008-01-01 18:26 <DIR> d-------- C:\Program Files\Sygate
2008-01-01 18:26 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-01 15:55 . 2008-01-01 15:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-01 15:43 . 2008-01-01 15:43 <DIR> d-------- C:\AutoRuns
2008-01-01 14:35 . 2007-01-18 23:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-01 14:30 . 2008-01-01 14:30 <DIR> d-------- C:\Program Files\CCleaner
2007-12-31 14:37 . 2007-12-31 21:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-31 14:37 . 2007-12-31 14:37 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\SUPERAntiSpyware.com
2007-12-31 14:37 . 2007-12-31 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-28 17:15 . 2007-12-29 17:13 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\MxBoost
2007-12-28 17:14 . 2007-12-28 17:28 <DIR> d-------- C:\Program Files\Maxthon2
2007-12-28 16:31 . 2007-12-28 16:31 1,314 ---hs---- C:\WINDOWS\system32\wafqbjhq.ini
2007-12-27 14:37 . 2007-12-28 16:31 1,254 ---hs---- C:\WINDOWS\system32\qwxlowwf.ini
2007-12-25 20:20 . 2007-12-27 13:29 1,743,760 ---hs---- C:\WINDOWS\system32\ddankwrx.ini
2007-12-25 20:14 . 2007-12-25 20:14 <DIR> d-------- C:\Documents and Settings\Davo\Application Data\Kodak
2007-12-23 17:49 . 2007-12-23 18:15 262 --a------ C:\WINDOWS\kaillera.ini
2007-12-22 17:17 . 2007-12-22 17:17 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-22 17:17 . 2007-12-22 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-22 17:16 . 2007-12-31 14:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 19:30 . 2007-12-21 19:30 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\GoodSync
2007-12-20 15:45 . 21,760 C:\WINDOWS\Uyd37.sys
2007-12-17 13:22 . 2007-12-17 13:22 176,564 --ahs---- C:\WINDOWS\system32\oqtwa.tmp
2007-12-14 18:22 . 2007-12-14 18:22 <DIR> d--h----- C:\_gsdata_
2007-12-14 18:09 . 2007-12-14 18:09 <DIR> d-------- C:\Program Files\Siber Systems
2007-12-14 18:09 . 2007-12-14 18:35 <DIR> d-------- C:\Documents and Settings\default\Application Data\GoodSync
2007-12-14 17:01 . 2007-12-14 17:01 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2007-12-14 16:57 . 2004-05-18 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-14 16:57 . 2004-05-18 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-14 16:57 . 2004-05-18 23:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-14 16:17 . 21,760 C:\WINDOWS\system32\drivers\Uyd37.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 05:42 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-01-13 05:42 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-01-13 05:42 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-01-13 05:42 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-01-13 05:42 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-01-13 05:42 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-01-13 05:42 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-01-13 05:42 36,770 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-01-06 12:48 --------- d-----w C:\Documents and Settings\Stevo\Application Data\LimeWire
2008-01-03 11:48 --------- d-----w C:\Program Files\Snapshot Viewer
2008-01-03 02:21 --------- d-----w C:\Documents and Settings\Davo\Application Data\LimeWire
2008-01-02 09:40 --------- d-----w C:\Program Files\LimeWire
2008-01-01 05:54 --------- d-----w C:\Program Files\Trend Micro
2007-12-29 05:49 --------- d-----w C:\Program Files\TRIXX
2007-12-26 04:54 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2007-12-20 11:40 879,832 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2007-12-20 11:40 108,360 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2007-12-08 04:42 --------- d-----w C:\Program Files\Java
2007-12-03 05:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-30 03:09 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-27 07:04 --------- d-----w C:\Program Files\MWSnap
2007-11-20 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 22:16 --------- d-----w C:\Documents and Settings\Stevo\Application Data\PC Tools
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-19 12:36 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-02-03 06:39 800,272 ----a-w C:\Documents and Settings\Davo\ppctl.dll
2006-02-16 11:37 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2001-06-22 18:34 24,576 ----a-w C:\Program Files\Common Files\ldrarc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0aa775a1-32fd-4836-94f6-84dfb8ac53f9}]
C:\WINDOWS\system32\ncqeiqvg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8603dbda-5537-47f2-b94f-e4d627b76262}]
C:\WINDOWS\system32\leowvodp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6011cc4-f7c3-4142-8e7a-6e44c86520cb}]
C:\WINDOWS\system32\bjncudir.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f233eda9-f61b-4b31-af00-f25ddbe14e54}]
C:\WINDOWS\system32\daduxpbu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f82174e5-caf5-42ad-a9ab-42cb9b9733e2}]
C:\WINDOWS\system32\gigdrqba.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-13 14:20 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-06-01 15:07 253952]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-06-01 15:14 173584]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-01 15:14 1193488]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-10-26 16:20 230928]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-05 19:29 177416]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 18:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 19:48 53760 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywww]
efcywww.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 15:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTIVBOARD]
--a------ 2003-05-02 12:31 24576 c:\apps\ABoard\ABoard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced DHTML Enable]
--a------ 2007-11-27 22:16 20729 C:\WINDOWS\system32\ebojcqyp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Application Layer Services]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-03-22 22:05 339968 C:\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 18:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 19:44 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOYTECH USB Neo S Controller]
--a------ 2005-06-03 23:47 233472 C:\Program Files\JoyTechEurope\JOYTECHUSBNeoSController\JoytechNeoSTrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Local Security Authority Service]
C:\WINDOWS\system32\lssas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 03:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\PROGRA~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvGraphicsInterface]
C:\WINDOWS\system32\mhsezo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
--a------ 2007-11-02 17:24 1065800 C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-05-18 23:21 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 02:01 110592 c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
C:\Program Files\webHancer\Programs\whSurvey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates]
javaw -cp C:\Program Files\WebRebates\System\Code Main lp: C:\Program Files\WebRebates

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp3\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP Tools]
C:\Program Files\XP Tools\xptools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"UmxPol"=2 (0x2)
"UmxFwHlp"=2 (0x2)
"UmxCfg"=2 (0x2)
"UmxAgent"=2 (0x2)
"SLService"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"DomainService"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-05-31 14:47]
R0 Uyd37;Uyd37;C:\WINDOWS\system32\Drivers\Uyd37.sys []
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-08-06 10:48]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 15:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 15:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-05-31 14:47]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-07-24 17:00]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-05-18 15:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-05-18 15:30]
R3 STAC97NA;SigmaTel 3D Environmental Audio;C:\WINDOWS\system32\drivers\stac97na.sys [2002-09-20 19:42]
R3 STAC97NH;STAC97NH;C:\WINDOWS\system32\drivers\stac97nh.sys [2002-09-20 19:43]
S4 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-07-24 13:44]
S4 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-05-18 15:30]
S4 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 15:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 04:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-31 11:52:00 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Davo at 9 52 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.ex
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\
"2005-10-30 10:36:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-01-13 05:50:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{06A48A1F-3511-4829-A711-671DD9863920}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 16:45:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 16:51:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 05:51:31
.
2007-12-12 07:35:29 --- E O F ---


When ComboFix restarted my computer, is it normal for Windows Time to stuff up a little?

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:01 PM, on 13/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0aa775a1-32fd-4836-94f6-84dfb8ac53f9} - C:\WINDOWS\system32\ncqeiqvg.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {8603dbda-5537-47f2-b94f-e4d627b76262} - C:\WINDOWS\system32\leowvodp.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {b6011cc4-f7c3-4142-8e7a-6e44c86520cb} - C:\WINDOWS\system32\bjncudir.dll (file missing)
O2 - BHO: (no name) - {f233eda9-f61b-4b31-af00-f25ddbe14e54} - C:\WINDOWS\system32\daduxpbu.dll (file missing)
O2 - BHO: (no name) - {f82174e5-caf5-42ad-a9ab-42cb9b9733e2} - C:\WINDOWS\system32\gigdrqba.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bdigital.com.au
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11F38F81-8C53-46A9-947A-1C097823BD0F}: NameServer = 203.194.27.57 203.194.56.150
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcywww - efcywww.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - Unknown owner - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6275 bytes


At the moment I am blocking "svchost.exe" from accessing the internet with Sygate Personal Firewall, as when it is unblocked more things seem to go wrong eg: CA AntiVirus infection alerts come up. When it is blocked, everthing starys the same, and nothing stops working.

On the odd occasion, a seemingly random "iexplorer.exe" process comes up in Task Manager, and starts downloading from the internet, if I end the process it's fine.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 13 January 2008 - 07:36 AM

When ComboFix restarted my computer, is it normal for Windows Time to stuff up a little?

Yes,thats normal,we'll sort that later.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\wafqbjhq.ini
C:\WINDOWS\system32\qwxlowwf.ini
C:\WINDOWS\system32\ddankwrx.ini
C:\WINDOWS\system32\oqtwa.tmp
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0aa775a1-32fd-4836-94f6-84dfb8ac53f9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8603dbda-5537-47f2-b94f-e4d627b76262}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6011cc4-f7c3-4142-8e7a-6e44c86520cb}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f233eda9-f61b-4b31-af00-f25ddbe14e54}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f82174e5-caf5-42ad-a9ab-42cb9b9733e2}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywww]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced DHTML Enable]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.

I now need you to do the following if you will:
First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\Uyd37.sys
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\WINDOWS\Uyd37.sys
Then click on 'Send File'.
Post the results into your next reply.
Posted Image
Posted Image

#7 ohtehnoes

ohtehnoes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 13 January 2008 - 08:44 PM

Here is my ComboFix log:

ComboFix 08-01-09.2 - Stevo 2008-01-14 12:14:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.187 [GMT 11:00]
Running from: C:\Documents and Settings\Stevo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stevo\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\ddankwrx.ini
C:\WINDOWS\system32\oqtwa.tmp
C:\WINDOWS\system32\qwxlowwf.ini
C:\WINDOWS\system32\wafqbjhq.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\ddankwrx.ini
C:\WINDOWS\system32\oqtwa.tmp
C:\WINDOWS\system32\qwxlowwf.ini
C:\WINDOWS\system32\wafqbjhq.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 22:08 . 2008-01-13 23:45 <DIR> d-------- C:\Program Files\Steam
2008-01-13 16:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 22:42 . 2008-01-03 22:42 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\Microsoft Web Folders
2008-01-03 15:59 . 2008-01-03 20:36 <DIR> d-------- C:\Documents and Settings\Stevo\.housecall6.6
2008-01-02 20:41 . 2008-01-02 22:57 <DIR> d-------- C:\Documents and Settings\default\Shared
2008-01-02 20:41 . 2008-01-02 22:57 <DIR> d-------- C:\Documents and Settings\default\Incomplete
2008-01-02 20:40 . 2008-01-02 23:03 <DIR> d-------- C:\Documents and Settings\default\Application Data\LimeWire
2008-01-01 18:27 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-01 18:27 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-01 18:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-01 18:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-01 18:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-01 18:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-01 18:26 . 2008-01-01 18:26 <DIR> d-------- C:\Program Files\Sygate
2008-01-01 18:26 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-01 15:55 . 2008-01-01 15:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-01 15:43 . 2008-01-01 15:43 <DIR> d-------- C:\AutoRuns
2008-01-01 14:35 . 2007-01-18 23:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-01 14:30 . 2008-01-01 14:30 <DIR> d-------- C:\Program Files\CCleaner
2007-12-31 14:37 . 2007-12-31 21:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-31 14:37 . 2007-12-31 14:37 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\SUPERAntiSpyware.com
2007-12-31 14:37 . 2007-12-31 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-28 17:15 . 2007-12-29 17:13 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\MxBoost
2007-12-28 17:14 . 2007-12-28 17:28 <DIR> d-------- C:\Program Files\Maxthon2
2007-12-25 20:14 . 2007-12-25 20:14 <DIR> d-------- C:\Documents and Settings\Davo\Application Data\Kodak
2007-12-23 17:49 . 2007-12-23 18:15 262 --a------ C:\WINDOWS\kaillera.ini
2007-12-22 17:17 . 2007-12-22 17:17 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-22 17:17 . 2007-12-22 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-22 17:16 . 2007-12-31 14:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 19:30 . 2007-12-21 19:30 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\GoodSync
2007-12-20 15:45 . 21,760 C:\WINDOWS\Uyd37.sys
2007-12-14 18:22 . 2007-12-14 18:22 <DIR> d--h----- C:\_gsdata_
2007-12-14 18:09 . 2007-12-14 18:09 <DIR> d-------- C:\Program Files\Siber Systems
2007-12-14 18:09 . 2007-12-14 18:35 <DIR> d-------- C:\Documents and Settings\default\Application Data\GoodSync
2007-12-14 17:01 . 2007-12-14 17:01 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2007-12-14 16:57 . 2004-05-18 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-14 16:57 . 2004-05-18 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-14 16:57 . 2004-05-18 23:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-14 16:17 . 21,760 C:\WINDOWS\system32\drivers\Uyd37.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 12:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-01-13 12:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-01-13 12:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-01-13 12:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-01-13 12:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-01-13 12:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-01-13 12:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-01-13 12:53 36,770 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-01-06 12:48 --------- d-----w C:\Documents and Settings\Stevo\Application Data\LimeWire
2008-01-03 11:48 --------- d-----w C:\Program Files\Snapshot Viewer
2008-01-03 02:21 --------- d-----w C:\Documents and Settings\Davo\Application Data\LimeWire
2008-01-02 09:40 --------- d-----w C:\Program Files\LimeWire
2008-01-01 05:54 --------- d-----w C:\Program Files\Trend Micro
2007-12-29 05:49 --------- d-----w C:\Program Files\TRIXX
2007-12-26 04:54 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2007-12-20 11:40 879,832 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2007-12-20 11:40 108,360 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2007-12-08 04:42 --------- d-----w C:\Program Files\Java
2007-12-03 05:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-30 03:09 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-27 11:16 20,729 ----a-w C:\WINDOWS\system32\ebojcqyp.exe
2007-11-27 10:37 20,729 ----a-w C:\WINDOWS\system32\ozrj.exe
2007-11-27 07:04 --------- d-----w C:\Program Files\MWSnap
2007-11-20 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 22:16 --------- d-----w C:\Documents and Settings\Stevo\Application Data\PC Tools
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 06:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 06:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 05:20 99,904 ----a-w C:\WINDOWS\system32\isafeif.dll
2007-10-26 05:20 79,424 ----a-w C:\WINDOWS\system32\vetredir.dll
2007-10-26 05:20 75,280 ----a-w C:\WINDOWS\system32\isafprod.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-19 12:36 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-02-03 06:39 800,272 ----a-w C:\Documents and Settings\Davo\ppctl.dll
2006-02-16 11:37 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2001-06-22 18:34 24,576 ----a-w C:\Program Files\Common Files\ldrarc.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-13_16.50.25.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 05:31:18 249,856 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 01:12:52 249,856 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 05:31:18 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 01:12:52 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 05:31:18 245,760 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-14 01:12:52 245,760 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 05:31:19 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 01:12:52 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 05:31:19 9,203,712 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-14 01:12:52 9,175,040 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 05:31:19 155,648 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 01:12:52 155,648 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-12 09:52:00 27,648 ----a-r C:\WINDOWS\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C91.exe
+ 2008-01-13 11:08:56 27,648 ----a-r C:\WINDOWS\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C91.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-06-01 15:07 253952]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-06-01 15:14 173584]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-01 15:14 1193488]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-10-26 16:20 230928]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-05 19:29 177416]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 18:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 19:48 53760 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 15:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTIVBOARD]
--a------ 2003-05-02 12:31 24576 c:\apps\ABoard\ABoard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Application Layer Services]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-03-22 22:05 339968 C:\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 18:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 19:44 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JOYTECH USB Neo S Controller]
--a------ 2005-06-03 23:47 233472 C:\Program Files\JoyTechEurope\JOYTECHUSBNeoSController\JoytechNeoSTrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Local Security Authority Service]
C:\WINDOWS\system32\lssas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 03:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\PROGRA~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvGraphicsInterface]
C:\WINDOWS\system32\mhsezo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
--a------ 2007-11-02 17:24 1065800 C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-05-18 23:21 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 02:01 110592 c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp3\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP Tools]
C:\Program Files\XP Tools\xptools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"UmxPol"=2 (0x2)
"UmxFwHlp"=2 (0x2)
"UmxCfg"=2 (0x2)
"UmxAgent"=2 (0x2)
"SLService"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"DomainService"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-05-31 14:47]
R0 Uyd37;Uyd37;C:\WINDOWS\system32\Drivers\Uyd37.sys []
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-08-06 10:48]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 15:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 15:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-05-31 14:47]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-07-24 17:00]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-05-18 15:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-05-18 15:30]
R3 STAC97NA;SigmaTel 3D Environmental Audio;C:\WINDOWS\system32\drivers\stac97na.sys [2002-09-20 19:42]
R3 STAC97NH;STAC97NH;C:\WINDOWS\system32\drivers\stac97nh.sys [2002-09-20 19:43]
S4 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-07-24 13:44]
S4 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-05-18 15:30]
S4 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 15:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 04:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-31 11:52:00 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Davo at 9 52 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.ex
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\
"2005-10-30 10:36:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-01-14 01:20:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{06A48A1F-3511-4829-A711-671DD9863920}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 12:21:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 12:25:12
ComboFix-quarantined-files.txt 2008-01-14 01:25:02
ComboFix2.txt 2008-01-13 05:51:44
.
2007-12-12 07:35:29 --- E O F ---


When it finished, this CA Anti-Virus Infection Alert came up:
Posted Image

Here is my new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:06 PM, on 14/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bdigital.com.au
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11F38F81-8C53-46A9-947A-1C097823BD0F}: NameServer = 203.194.27.57 203.194.56.150
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - Unknown owner - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5618 bytes


I uploaded the file to Jotti and this message appeared:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I tried Virustotal and got this message:

0 bytes size received / Se ha recibido un archivo vacio



#8 ohtehnoes

ohtehnoes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 13 January 2008 - 08:48 PM

Also, on occasion an Internet Explorer opens with a website along the lines of "www.my-etrust.com". I usually close it too quick to see what the website is.

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 14 January 2008 - 07:13 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\Uyd37.sys
C:\WINDOWS\system32\drivers\Uyd37.sys
Driver::
Uyd37

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#10 ohtehnoes

ohtehnoes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 18 January 2008 - 10:41 PM

Posted Image

I know this is probably a stupid question, but I had to be sure, should I re-download?

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 19 January 2008 - 08:58 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Drivers to unload:
C:\WINDOWS\system32\drivers\Uyd37.sys

Files to delete:
C:\WINDOWS\Uyd37.sys
C:\WINDOWS\system32\drivers\Uyd37.sys

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#12 ohtehnoes

ohtehnoes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 19 January 2008 - 10:35 PM

Avenger seems to have... failed...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mkchvcmw

*******************

Script file located at: ervtqecc

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!


...

Here is new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:19, on 2008-01-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bdigital.com.au
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11F38F81-8C53-46A9-947A-1C097823BD0F}: NameServer = 203.194.27.57 203.194.56.150
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - Unknown owner - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5579 bytes


One reason I was concerned was that "svchost.exe" was downloading from sites I didn't know about, and when they aren't blocked by Sygate Firewall, my virus scanner picks up viruses, such as cutwail! and chepvil. It also makes my dial-up internet very slow. I am blocking "svchost.exe" from accessing the internet at the moment, even though it is supposedly a genuine Microsoft process, I fear that it may have been hijacked, or it is fake. Here are parts of the Sygate Personal Firewall Traffic log displaying where "svchost.exe" is downloading from. I would appreciate if you would tell me if it is o.k to allow this process to access the internet, as with previous (and possibly current) history of backdoor trojans, and being incapable of reformatting, I'm rather fearful.

137545 01/20/2008 14:09:35 Blocked 10 Outgoing TCP 66.246.252.215 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1909 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:08:22 01/20/2008 14:08:31 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137546 01/20/2008 14:09:57 Blocked 10 Outgoing TCP 208.66.195.71 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1910 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:08:44 01/20/2008 14:08:53 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137547 01/20/2008 14:10:17 Blocked 10 Outgoing TCP 67.18.114.98 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1911 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:09:05 01/20/2008 14:09:14 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137548 01/20/2008 14:10:23 Allowed 10 Outgoing TCP msntoday.ninemsn.com.au [202.58.56.40] 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1912 C:\Program Files\MSN Messenger\msnmsgr.exe Stevo SN2616577127 Normal 1 01/20/2008 14:09:19 01/20/2008 14:09:19 Ask all running apps
137549 01/20/2008 14:10:38 Blocked 10 Outgoing TCP 208.66.194.242 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1913 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:09:26 01/20/2008 14:09:35 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137550 01/20/2008 14:10:59 Blocked 10 Outgoing TCP 66.246.252.215 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1914 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:09:47 01/20/2008 14:09:56 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137551 01/20/2008 14:11:22 Blocked 10 Outgoing TCP 208.66.195.71 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1915 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:10:08 01/20/2008 14:10:17 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137552 01/20/2008 14:11:39 Allowed 10 Outgoing TCP download.windowsupdate.com [203.220.28.232] 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1917 C:\Program Files\MSN Messenger\msnmsgr.exe Stevo SN2616577127 Normal 1 01/20/2008 14:10:36 01/20/2008 14:10:36 Ask all running apps
137553 01/20/2008 14:11:44 Blocked 10 Outgoing TCP 67.18.114.98 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1916 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:10:30 01/20/2008 14:10:39 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137554 01/20/2008 14:11:46 Blocked 10 Outgoing TCP 208.66.195.71 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1920 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:11:34 01/20/2008 14:11:43 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137555 01/20/2008 14:11:46 Blocked 10 Outgoing TCP 208.66.194.242 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1918 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:10:51 01/20/2008 14:11:00 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137556 01/20/2008 14:11:46 Blocked 10 Outgoing TCP 66.246.252.215 01-00-20-00-01-00 80 203.220.222.201 00-00-01-00-00-00 1919 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:11:12 01/20/2008 14:11:21 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137557 01/20/2008 14:17:44 Blocked 10 Outgoing UDP time.windows.com [207.46.197.32] 01-00-20-00-01-00 123 203.220.222.187 00-00-01-00-00-00 123 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/20/2008 14:16:40 01/20/2008 14:16:40 GUI%GUICONFIG#SRULE@APPCONFIG-UDP#C:\WINDOWS\System32\svchost.exe
137558 01/20/2008 14:17:55 Blocked 10 Outgoing TCP 208.66.194.242 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1051 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:16:41 01/20/2008 14:16:50 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137559 01/20/2008 14:18:01 Blocked 10 Outgoing TCP www.update.microsoft.com [65.55.184.61] 01-00-20-00-01-00 443 203.220.222.187 00-00-01-00-00-00 1056 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:16:51 01/20/2008 14:17:00 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137560 01/20/2008 14:18:01 Allowed 10 Outgoing TCP www.bleepingcomputer.com [216.213.19.27] 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1057 C:\Program Files\Mozilla Firefox\firefox.exe Stevo SN2616577127 Normal 1 01/20/2008 14:16:57 01/20/2008 14:16:57 Ask all running apps
137561 01/20/2008 14:18:12 Allowed 10 Outgoing TCP www.bleepingcomputer.com [216.213.19.27] 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1059 C:\Program Files\Mozilla Firefox\firefox.exe Stevo SN2616577127 Normal 1 01/20/2008 14:17:10 01/20/2008 14:17:10 Ask all running apps
137562 01/20/2008 14:18:12 Blocked 10 Outgoing TCP 66.246.252.215 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1058 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:17:02 01/20/2008 14:17:11 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137563 01/20/2008 14:18:18 Blocked 10 Incoming UDP 24.64.206.255 01-00-20-00-01-00 30647 203.220.222.187 00-00-01-00-00-00 1026 Stevo SN2616577127 Normal 1 01/20/2008 14:17:12 01/20/2008 14:17:12 Block_all
137564 01/20/2008 14:18:18 Blocked 10 Incoming UDP 24.64.206.255 01-00-20-00-01-00 30647 203.220.222.187 00-00-01-00-00-00 1027 Stevo SN2616577127 Normal 1 01/20/2008 14:17:12 01/20/2008 14:17:12 Block_all
137565 01/20/2008 14:18:18 Blocked 10 Incoming UDP 24.64.206.255 01-00-20-00-01-00 30647 203.220.222.187 00-00-01-00-00-00 1028 Stevo SN2616577127 Normal 1 01/20/2008 14:17:12 01/20/2008 14:17:12 Block_all
137566 01/20/2008 14:18:23 Blocked 10 Outgoing TCP stats.update.microsoft.com [207.46.20.252] 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1060 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:17:12 01/20/2008 14:17:21 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137567 01/20/2008 14:18:34 Blocked 10 Outgoing TCP 208.66.195.71 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1062 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:17:24 01/20/2008 14:17:33 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137568 01/20/2008 14:18:46 Blocked 10 Outgoing TCP www.update.microsoft.com [65.55.184.61] 01-00-20-00-01-00 443 203.220.222.187 00-00-01-00-00-00 1063 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:17:34 01/20/2008 14:17:43 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137571 01/20/2008 14:18:57 Blocked 10 Outgoing TCP 67.18.114.98 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1065 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:17:45 01/20/2008 14:17:54 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137572 01/20/2008 14:19:08 Blocked 10 Outgoing TCP stats.update.microsoft.com [207.46.20.252] 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1067 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:17:55 01/20/2008 14:18:04 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137573 01/20/2008 14:19:19 Blocked 10 Outgoing TCP 208.66.194.242 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1068 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:18:06 01/20/2008 14:18:15 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137574 01/20/2008 14:19:25 Allowed 10 Outgoing TCP sb.google.com [74.125.19.91] 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1069 C:\Program Files\Mozilla Firefox\firefox.exe Stevo SN2616577127 Normal 1 01/20/2008 14:18:22 01/20/2008 14:18:22 Ask all running apps
137575 01/20/2008 14:19:42 Blocked 10 Outgoing TCP 66.246.252.215 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1070 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:18:28 01/20/2008 14:18:36 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137576 01/20/2008 14:19:59 Blocked 10 Outgoing TCP 208.66.195.71 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1071 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:18:49 01/20/2008 14:18:58 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137577 01/20/2008 14:20:21 Blocked 10 Outgoing TCP 67.18.114.98 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1072 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:19:10 01/20/2008 14:19:19 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137578 01/20/2008 14:20:24 Blocked 10 Incoming UDP 221.208.208.92 01-00-20-00-01-00 41453 203.220.222.187 00-00-01-00-00-00 1026 Stevo SN2616577127 Normal 1 01/20/2008 14:20:21 01/20/2008 14:20:21 Block_all
137579 01/20/2008 14:20:24 Blocked 10 Outgoing TCP 208.66.195.71 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1075 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:20:14 01/20/2008 14:20:23 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137580 01/20/2008 14:20:24 Blocked 10 Outgoing TCP 208.66.194.242 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1073 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:19:31 01/20/2008 14:19:40 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137581 01/20/2008 14:20:24 Blocked 10 Outgoing TCP 66.246.252.215 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1074 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:19:52 01/20/2008 14:20:01 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137582 01/20/2008 14:21:39 Allowed 10 Incoming ICMP 66.246.252.215 01-00-20-00-01-00 0 203.220.222.187 00-00-01-00-00-00 0 Stevo SN2616577127 Normal 21 01/20/2008 14:20:34 01/20/2008 14:20:35 Allow ping reply
137583 01/20/2008 14:21:45 Blocked 10 Outgoing TCP 67.18.114.98 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1080 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:20:35 01/20/2008 14:20:44 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137584 01/20/2008 14:22:07 Blocked 10 Outgoing TCP 208.66.194.242 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1127 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:20:56 01/20/2008 14:21:05 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137585 01/20/2008 14:22:29 Blocked 10 Outgoing TCP 616959.ds.nac.net [66.246.252.215] 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1128 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:21:18 01/20/2008 14:21:26 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137586 01/20/2008 14:22:52 Blocked 10 Outgoing TCP 208.66.195.71 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1129 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:21:39 01/20/2008 14:21:48 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137587 01/20/2008 14:23:14 Blocked 10 Outgoing TCP 67.18.114.98 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1130 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:22:00 01/20/2008 14:22:09 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137588 01/20/2008 14:23:31 Blocked 10 Outgoing TCP 208.66.194.242 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1131 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:22:21 01/20/2008 14:22:30 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137589 01/20/2008 14:23:53 Blocked 10 Outgoing TCP 616959.ds.nac.net [66.246.252.215] 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1132 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:22:43 01/20/2008 14:22:51 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137590 01/20/2008 14:24:16 Blocked 10 Outgoing TCP 208.66.195.71 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1133 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:23:04 01/20/2008 14:23:13 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137591 01/20/2008 14:24:38 Blocked 10 Outgoing TCP 67.18.114.98 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1134 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:23:25 01/20/2008 14:23:34 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137592 01/20/2008 14:25:00 Blocked 10 Outgoing TCP 208.66.194.242 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1135 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:23:46 01/20/2008 14:23:55 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137593 01/20/2008 14:25:17 Blocked 10 Outgoing TCP 616959.ds.nac.net [66.246.252.215] 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1136 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:24:07 01/20/2008 14:24:16 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
137594 01/20/2008 14:25:39 Blocked 10 Outgoing TCP 208.66.195.71 01-00-20-00-01-00 80 203.220.222.187 00-00-01-00-00-00 1137 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 3 01/20/2008 14:24:29 01/20/2008 14:24:38 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe

Here are the most recent ones:

136004 01/19/2008 22:15:43 Blocked 10 Outgoing TCP 67.18.114.98 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1528 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:15:59 01/19/2008 22:15:59 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136005 01/19/2008 22:15:54 Blocked 10 Outgoing TCP 208.66.194.242 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1529 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:16:11 01/19/2008 22:16:11 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136006 01/19/2008 22:16:00 Blocked 10 Outgoing TCP 208.66.194.242 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1529 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:16:14 01/19/2008 22:16:14 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136007 01/19/2008 22:16:06 Blocked 10 Outgoing TCP 208.66.194.242 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1529 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:16:20 01/19/2008 22:16:20 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136008 01/19/2008 22:16:17 Blocked 10 Outgoing TCP 66.246.252.215 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1531 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:16:33 01/19/2008 22:16:33 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136010 01/19/2008 22:16:22 Blocked 10 Outgoing TCP 66.246.252.215 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1531 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:16:35 01/19/2008 22:16:35 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136012 01/19/2008 22:16:28 Blocked 10 Outgoing TCP 66.246.252.215 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1531 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:16:42 01/19/2008 22:16:42 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136013 01/19/2008 22:16:39 Blocked 10 Outgoing TCP 208.66.195.71 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1533 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 2 01/19/2008 22:16:54 01/19/2008 22:16:57 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136016 01/19/2008 22:16:45 Blocked 10 Outgoing TCP 208.66.195.71 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1533 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:17:03 01/19/2008 22:17:03 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136026 01/19/2008 22:17:02 Blocked 10 Outgoing TCP 67.18.114.98 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1541 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 2 01/19/2008 22:17:15 01/19/2008 22:17:18 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136027 01/19/2008 22:17:08 Blocked 10 Outgoing TCP 67.18.114.98 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1541 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:17:24 01/19/2008 22:17:24 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136028 01/19/2008 22:17:19 Blocked 10 Outgoing TCP 208.66.194.242 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1546 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:17:36 01/19/2008 22:17:36 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136029 01/19/2008 22:17:25 Blocked 10 Outgoing TCP 208.66.194.242 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1546 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:17:39 01/19/2008 22:17:39 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136030 01/19/2008 22:17:30 Blocked 10 Outgoing TCP 208.66.194.242 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1546 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:17:45 01/19/2008 22:17:45 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136031 01/19/2008 22:17:41 Blocked 10 Outgoing TCP 66.246.252.215 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1547 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:17:58 01/19/2008 22:17:58 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136034 01/19/2008 22:17:47 Blocked 10 Outgoing TCP 66.246.252.215 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1547 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:18:00 01/19/2008 22:18:00 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136037 01/19/2008 22:17:53 Blocked 10 Outgoing TCP 66.246.252.215 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1547 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:18:06 01/19/2008 22:18:06 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136042 01/19/2008 22:18:04 Blocked 10 Outgoing TCP 208.66.195.71 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1555 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 2 01/19/2008 22:18:19 01/19/2008 22:18:22 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136050 01/19/2008 22:18:10 Blocked 10 Outgoing TCP 208.66.195.71 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1555 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 1 01/19/2008 22:18:28 01/19/2008 22:18:28 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe
136061 01/19/2008 22:18:27 Blocked 10 Outgoing TCP 67.18.114.98 02-00-20-00-02-00 80 203.220.222.17 00-00-02-00-00-00 1572 C:\WINDOWS\system32\svchost.exe Stevo SN2616577127 Normal 2 01/19/2008 22:18:40 01/19/2008 22:18:43 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\System32\svchost.exe


Other than that, Spybot is still picking up traces of Virtumonde and the odd Win32 trojan, but CA Anti Virus Infection Alerts are getting lesser, in fact, I haven't had one in a week. The Windows Live Messenger virus seems to have gone and my computer seems to be running o.k, but I am still slightly fearful of reinfection, and that suspicious Uyd37.sys driver seems persistant on staying on my computer.

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 20 January 2008 - 07:55 AM

Download Killbox by Option^Explicit:
http://download.bleepingcomputer.com/spyware/KillBox.exe
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\Uyd37.sys
C:\WINDOWS\system32\drivers\Uyd37.sys

Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#14 ohtehnoes

ohtehnoes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 20 January 2008 - 11:55 PM

Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.

This doesn't work. Nothing happens when you click Paste From Clipboard, and when you click Delete File it says "You have not specified a file to delete, you must specify a file path in the yellow box", then the 'Full Path of File To Delete' box lights up yellow.

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 21 January 2008 - 05:37 AM

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users