Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Process Doubled With Spacename


  • This topic is locked This topic is locked
6 replies to this topic

#1 Anthonyn

Anthonyn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 06 January 2008 - 03:00 AM

I have a problem about my process list in Task Manager. There are some processes doubled in the task manager. In example there is:

CLI.exe
CLI .exe

and

avgcc.exe
avgcc .exe

the other process has space before dot too.

Here's the HJT log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:14, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\RocketDock\RocketDock .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\PROGRA~1\Grisoft\AVG7\avgcc .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RocketDock\RocketDock .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
D:\DOWNLOADS\HiJackThis\HijackThis Application.exe

O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7A5565EF-A594-46E4-AF56-FE71AEAFD7D5} - C:\WINDOWS\system32\cbxvuvt.dll
O2 - BHO: (no name) - {81D9D4FB-E62F-4BFD-A7D7-6296D32AD33A} - C:\WINDOWS\system32\gebcy.dll
O2 - BHO: (no name) - {CA2E9C36-FDFA-446C-AFD2-66D69761867E} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe" /0
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock .exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C25AFC76-3DCF-47B3-A53B-2B08BD16A950}: NameServer = 202.134.0.155,202.134.2.5
O20 - Winlogon Notify: cbxvuvt - C:\WINDOWS\SYSTEM32\cbxvuvt.dll
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4870 bytes


These processes consume a lot of RAM and CPU Usage (20%-100%), sometimes it's locked at 100% usage for a long period. I think it was a Trojan, but I'm still unsure. I've tried Ad-ware, SpyBot, Spyware Dr., no luck. Please help! Thank You! Sorry for my bad English.. I'm new on it..

Edited by Anthonyn, 06 January 2008 - 06:54 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:43 AM

Posted 06 January 2008 - 09:18 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :blink:
I think your English is better than some of us who have speaking it all our lives. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Anthonyn

Anthonyn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 07 January 2008 - 11:28 AM

Sam, here's the log from ComboFix :

ComboFix 08-01-04.1 - ANTONI 2008-01-07 19:07:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.620 [GMT 7:00]
Running from: D:\DOWNLOADS\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Documents\My Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\My Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009F263\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\Desktop_.ini
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\cbxvuvt.dll
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\gebcy.exe
C:\WINDOWS\system32\winowl32.dll
C:\WINDOWS\system32\ycbeg.ini
C:\WINDOWS\system32\ycbeg.ini2

<pre>
"C:\Program Files\ATI Technologies\ATI.ACE\cli .exe" replaces infected copy of "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe"
"C:\Program Files\Grisoft\AVG7\avgcc .exe" replaces infected copy of "C:\Program Files\Grisoft\AVG7\avgcc.exe"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe" replaces infected copy of "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
"C:\Program Files\Synaptics\SynTP\SynTPEnh .exe" replaces infected copy of "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 19:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 20:14 . 2008-01-04 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 18:59 . 2008-01-03 18:59 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\KompoZer
2008-01-01 21:42 . 2008-01-06 15:05 <DIR> d-------- C:\Program Files\RocketDock
2007-12-29 15:39 . 2007-12-29 15:39 <DIR> d-------- C:\Program Files\Webroot
2007-12-29 15:39 . 2007-12-29 15:39 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\Webroot
2007-12-28 22:55 . 2007-12-28 23:09 981 --a------ C:\WINDOWS\eReg.dat
2007-12-28 22:29 . 2005-12-15 18:37 86,095 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2007-12-28 21:44 . 2007-12-28 21:44 <DIR> d-------- C:\Program Files\LucasArts
2007-12-28 20:25 . 2007-12-28 20:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-28 19:40 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-12-28 19:02 . 2007-12-28 19:02 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-27 22:00 . 2007-12-27 22:03 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\Command & Conquer 3 Tiberium Wars
2007-12-27 21:33 . 2007-12-28 11:17 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-27 21:13 . 2007-12-27 21:13 <DIR> d-------- C:\Program Files\CCleaner
2007-12-26 21:40 . 2007-12-26 21:40 657,183 --a------ C:\WINDOWS\Condition Zero Uninstaller.exe
2007-12-26 21:27 . 2007-12-27 21:28 39 --a------ C:\WINDOWS\popcinfo.dat
2007-12-21 23:05 . 2007-12-21 23:05 149 --a------ C:\WINDOWS\CrocPhys.INI
2007-12-21 23:05 . 2007-12-21 23:05 32 --a------ C:\WINDOWS\Crocclip.ini
2007-12-21 23:03 . 2007-12-21 23:04 52 --a------ C:\WINDOWS\CrocChem.INI
2007-12-21 16:39 . 2007-12-21 16:39 <DIR> d-------- C:\WINDOWS\Sun
2007-12-17 16:12 . 2007-12-25 00:30 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\My Battle for Middle-earth™ II Files
2007-12-17 14:20 . 2007-12-17 14:20 <DIR> d-------- C:\Documents and Settings\Jansen\Application Data\Command & Conquer 3 Tiberium Wars
2007-12-17 14:17 . 2007-12-17 14:17 <DIR> d-------- C:\Documents and Settings\Jansen\Application Data\Sony Ericsson
2007-12-15 16:27 . 2007-12-15 16:27 <DIR> d-------- C:\Program Files\RADVideo
2007-12-15 15:19 . 2007-12-15 15:19 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\CNC_Generals_World
2007-12-11 21:43 . 2007-12-11 21:43 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-11 21:43 . 2007-12-11 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-11 21:42 . 2007-12-11 21:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-11 21:26 . 2007-12-11 21:27 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2007-12-09 21:46 . 2007-12-09 21:46 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\Apple Computer
2007-12-09 21:37 . 2007-12-09 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2007-12-08 20:21 . 2006-04-21 10:22 101,072 -ra------ C:\WINDOWS\system32\drivers\zebrmdm.sys
2007-12-08 20:21 . 2006-04-21 10:22 101,008 -ra------ C:\WINDOWS\system32\drivers\zebrmdmc.sys
2007-12-08 20:21 . 2006-04-21 10:22 85,040 -ra------ C:\WINDOWS\system32\drivers\zebrsce.sys
2007-12-08 20:21 . 2006-04-21 10:21 66,864 -ra------ C:\WINDOWS\system32\drivers\zebrbus.sys
2007-12-08 20:21 . 2006-04-21 10:22 9,264 -ra------ C:\WINDOWS\system32\drivers\zebrmdfl.sys
2007-12-08 20:21 . 2006-04-21 10:21 6,208 -ra------ C:\WINDOWS\system32\drivers\zebrcmnt.sys
2007-12-08 20:21 . 2006-04-21 10:21 6,208 -ra------ C:\WINDOWS\system32\drivers\zebrcm.sys
2007-12-08 20:21 . 2007-12-08 20:21 0 --a------ C:\WINDOWS\mngui.INI
2007-12-08 20:18 . 2007-12-08 20:19 <DIR> d-------- C:\Program Files\QuickTime
2007-12-08 20:16 . 2007-12-08 20:16 <DIR> d-------- C:\Program Files\Symbian
2007-12-08 20:16 . 2007-12-08 20:16 <DIR> d-------- C:\Program Files\Intuwave
2007-12-08 20:16 . 2006-04-21 10:21 53,392 -ra------ C:\WINDOWS\system32\drivers\zebrceb.sys
2007-12-08 20:16 . 2006-04-21 10:22 5,904 -ra------ C:\WINDOWS\system32\drivers\zebrwhnt.sys
2007-12-08 20:16 . 2006-04-21 10:22 5,904 -ra------ C:\WINDOWS\system32\drivers\zebrwh.sys
2007-12-08 20:16 . 2005-06-08 15:53 288 --a------ C:\WINDOWS\mrinstu.iss
2007-12-08 20:15 . 2007-12-08 20:16 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-08 20:15 . 2007-12-08 20:15 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-12-08 20:15 . 2007-12-08 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2007-12-08 20:15 . 2007-12-08 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-08 20:05 . 2007-12-15 14:51 <DIR> d-------- C:\TDdownload
2007-12-07 20:56 . 2007-12-08 20:21 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\Teleca
2007-12-07 20:47 . 2006-04-21 10:21 25,214 -ra------ C:\WINDOWS\system32\memorystick.ico
2007-12-07 20:42 . 2007-12-07 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-07 20:41 . 2007-12-07 20:41 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\Sony Ericsson
2007-12-07 20:40 . 2007-12-11 21:25 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-07 20:40 . 2007-12-08 20:16 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 04:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 08:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-28 15:56 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-28 15:31 --------- d-----w C:\Program Files\Ahead
2007-12-28 13:05 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Microsoft Games
2007-12-28 13:02 --------- d-----w C:\Program Files\Electronic Arts
2007-12-27 13:52 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\AVG7
2007-12-21 17:12 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\U3
2007-12-17 07:13 --------- d-----w C:\Documents and Settings\Jansen\Application Data\AVG7
2007-12-05 18:14 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Samsung
2007-12-05 18:11 --------- d-----w C:\Program Files\Samsung
2007-12-05 12:05 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Canon
2007-12-05 12:00 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\ScanSoft
2007-12-05 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-05 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-05 11:59 --------- d-----w C:\Program Files\ScanSoft
2007-12-05 11:59 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-05 11:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-05 11:55 --------- d-----w C:\Program Files\Common Files\CANON
2007-12-05 11:55 --------- d-----w C:\Program Files\Canon
2007-12-05 11:54 --------- d--h--w C:\Program Files\CanonBJ
2007-12-04 15:21 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Ahead
2007-12-04 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-03 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-02 11:56 --------- d-----w C:\Documents and Settings\Jansen\Application Data\ATI
2007-12-02 06:39 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2007-12-01 11:29 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\PlayFirst
2007-12-01 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-12-01 10:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-01 10:28 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-01 09:38 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Media Player Classic
2007-12-01 08:36 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-01 08:33 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-01 08:24 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\OpenOffice.org2
2007-12-01 08:00 --------- d-----w C:\Program Files\Giganology
2007-12-01 07:36 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-01 07:36 --------- d--h--r C:\Documents and Settings\ANTONI\Application Data\SecuROM
2007-12-01 07:33 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\ATI
2007-12-01 07:26 451,072 ----a-w C:\WINDOWS\Radeon Omega Drivers v3.8.330 Uninstall.exe
2007-12-01 07:03 --------- d-----w C:\Program Files\Tweak-XP
2007-12-01 06:23 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\VSRevoGroup
2007-11-30 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-11-30 01:43 99,776 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-11-30 01:43 388,000 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2007-11-30 01:43 32,288 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-11-30 01:31 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-30 01:28 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-30 01:25 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2007-11-30 01:23 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-11-30 01:23 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2007-11-29 09:33 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Intel
2007-11-29 09:32 --------- d-----w C:\Program Files\Intel
2007-11-29 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2007-11-29 09:06 --------- d-----w C:\Program Files\VS Revo Group
2007-11-29 08:52 --------- d-----w C:\Program Files\Winamp
2007-11-29 08:50 --------- d-----w C:\Program Files\Java
2007-11-29 08:50 --------- d-----w C:\Program Files\Common Files\Java
2007-11-29 08:43 --------- d-----w C:\Program Files\IrfanView
2007-11-29 08:04 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-11-29 08:04 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-11-29 08:04 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-29 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-29 07:51 --------- d-----w C:\Program Files\Synaptics
2007-11-29 07:50 --------- d-----w C:\Program Files\CONEXANT
2007-11-29 07:49 --------- d-----w C:\Program Files\Realtek
2007-11-29 07:41 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\ATI
2007-11-29 07:39 --------- d-----w C:\Program Files\ATI Technologies
2007-11-29 07:35 --------- d-----w C:\Program Files\IZArc
2007-11-29 05:49 --------- d-----w C:\Program Files\Foxit Software
2007-11-29 04:55 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A5565EF-A594-46E4-AF56-FE71AEAFD7D5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFE2B283-3111-400D-B56E-C9B2E0F9744D}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe" [ ]
"RocketDock"="C:\Program Files\RocketDock\RocketDock .exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-06 18:40 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-06 18:40 45056]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-06 18:40 692315]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-06 18:40 579072]
"AtiPTA"="atiptaxx.exe" [2006-02-22 08:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 19:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-29 15:04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvuvt]

R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2006-04-21 10:21]
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2006-04-21 10:21]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2006-04-21 10:22]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2006-04-21 10:22]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2006-04-21 10:22]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2006-04-21 10:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c4f5fa5-ac7c-11dc-a002-00163631ca12}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ce6672d-aae2-11dc-a001-00163631ca12}]
\Shell\AutoRun\command - G:\PStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8771f3fe-9ff4-11dc-9ff0-00163631ca12}]
\Shell\AutoRun\command - G:\PStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8d96381-a58c-11dc-9ffd-f00087db00f5}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8d96384-a58c-11dc-9ffd-f00087db00f5}]
\shell\explore\Command - boot.exe
\shell\open\Command - boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd17ddb7-a6ec-11dc-9ffe-f7669d6fd131}]
\Shell\Auto\command - G:\PegeFile.pif
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PegeFile.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edf2f4cb-a26c-11dc-9ff5-f94e7f48fb9a}]
\Shell\AutoRun\command - snikivv.exe
\Shell\explore\Command - snikivv.exe
\Shell\open\Command - snikivv.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fae64360-a7f0-11dc-9fff-00163631ca12}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 19:15:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-07 19:16:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 12:16:07


After I execute ComboFix following your procedures, I didn't found any "spacename" process. My process in Task Manager back to normal. Is there anything else I can do? Or my system was healed with your ComboFix? Thank you before..

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:43 AM

Posted 07 January 2008 - 07:13 PM

We've removed the main infection. Now we just need to clean up a bit more and then double check for any remaining infected files.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A5565EF-A594-46E4-AF56-FE71AEAFD7D5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFE2B283-3111-400D-B56E-C9B2E0F9744D}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvuvt]

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


==============



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


==============



Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • Click Start and point to All Programs.
  • Mouse over Accessories, then System Tools, and select System Restore.
  • In the System Restore wizard, select the box next the text labeled "Create a
    restore point" and click the Next button.
  • Type a description for your new restore point. Something like "After
    cleanup". Click Create and you're done.

===============



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Anthonyn

Anthonyn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 10 January 2008 - 06:21 AM

Sam, here's the new log from Combofix with CFScript :

ComboFix 08-01-04.1 - ANTONI 2008-01-10 18:06:40.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.633 [GMT 7:00]
Running from: C:\Documents and Settings\ANTONI\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ANTONI\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-07 19:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 20:14 . 2008-01-04 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 18:59 . 2008-01-03 18:59 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\KompoZer
2008-01-01 21:42 . 2008-01-08 22:22 <DIR> d-------- C:\Program Files\RocketDock
2007-12-29 15:39 . 2007-12-29 15:39 <DIR> d-------- C:\Program Files\Webroot
2007-12-29 15:39 . 2007-12-29 15:39 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\Webroot
2007-12-28 22:55 . 2007-12-28 23:09 981 --a------ C:\WINDOWS\eReg.dat
2007-12-28 22:29 . 2005-12-15 18:37 86,095 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2007-12-28 21:44 . 2007-12-28 21:44 <DIR> d-------- C:\Program Files\LucasArts
2007-12-28 20:25 . 2007-12-28 20:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-28 19:40 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-12-28 19:02 . 2007-12-28 19:02 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-27 22:00 . 2007-12-27 22:03 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\Command & Conquer 3 Tiberium Wars
2007-12-27 21:33 . 2007-12-28 11:17 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-27 21:13 . 2007-12-27 21:13 <DIR> d-------- C:\Program Files\CCleaner
2007-12-26 21:40 . 2008-01-10 12:40 657,473 --a------ C:\WINDOWS\Condition Zero Uninstaller.exe
2007-12-26 21:27 . 2007-12-27 21:28 39 --a------ C:\WINDOWS\popcinfo.dat
2007-12-21 23:05 . 2007-12-21 23:05 149 --a------ C:\WINDOWS\CrocPhys.INI
2007-12-21 23:05 . 2007-12-21 23:05 32 --a------ C:\WINDOWS\Crocclip.ini
2007-12-21 23:03 . 2007-12-21 23:04 52 --a------ C:\WINDOWS\CrocChem.INI
2007-12-21 16:39 . 2007-12-21 16:39 <DIR> d-------- C:\WINDOWS\Sun
2007-12-17 16:12 . 2007-12-25 00:30 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\My Battle for Middle-earth™ II Files
2007-12-17 14:20 . 2007-12-17 14:20 <DIR> d-------- C:\Documents and Settings\Jansen\Application Data\Command & Conquer 3 Tiberium Wars
2007-12-17 14:17 . 2007-12-17 14:17 <DIR> d-------- C:\Documents and Settings\Jansen\Application Data\Sony Ericsson
2007-12-15 16:27 . 2007-12-15 16:27 <DIR> d-------- C:\Program Files\RADVideo
2007-12-15 15:19 . 2007-12-15 15:19 <DIR> d-------- C:\Documents and Settings\ANTONI\Application Data\CNC_Generals_World
2007-12-11 21:43 . 2007-12-11 21:43 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-11 21:43 . 2007-12-11 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-11 21:42 . 2007-12-11 21:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-11 21:26 . 2007-12-11 21:27 <DIR> d-------- C:\Program Files\Common Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 04:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 08:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-28 15:56 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-28 15:31 --------- d-----w C:\Program Files\Ahead
2007-12-28 13:05 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Microsoft Games
2007-12-28 13:02 --------- d-----w C:\Program Files\Electronic Arts
2007-12-27 13:52 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\AVG7
2007-12-21 17:12 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\U3
2007-12-17 07:13 --------- d-----w C:\Documents and Settings\Jansen\Application Data\AVG7
2007-12-09 14:46 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Apple Computer
2007-12-09 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\U3
2007-12-08 13:21 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Teleca
2007-12-08 13:19 --------- d-----w C:\Program Files\QuickTime
2007-12-08 13:16 --------- d-----w C:\Program Files\Symbian
2007-12-08 13:16 --------- d-----w C:\Program Files\Sony Ericsson
2007-12-08 13:16 --------- d-----w C:\Program Files\Intuwave
2007-12-08 13:16 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-12-08 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-08 13:15 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-12-08 13:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-12-07 13:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-07 13:41 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Sony Ericsson
2007-12-05 18:14 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Samsung
2007-12-05 18:11 --------- d-----w C:\Program Files\Samsung
2007-12-05 12:05 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Canon
2007-12-05 12:00 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\ScanSoft
2007-12-05 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-05 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-05 11:59 --------- d-----w C:\Program Files\ScanSoft
2007-12-05 11:59 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-05 11:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-05 11:55 --------- d-----w C:\Program Files\Common Files\CANON
2007-12-05 11:55 --------- d-----w C:\Program Files\Canon
2007-12-05 11:54 --------- d--h--w C:\Program Files\CanonBJ
2007-12-04 15:21 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Ahead
2007-12-04 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-03 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-02 11:56 --------- d-----w C:\Documents and Settings\Jansen\Application Data\ATI
2007-12-02 06:39 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2007-12-01 11:29 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\PlayFirst
2007-12-01 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-12-01 10:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-01 10:28 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-01 09:38 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Media Player Classic
2007-12-01 08:36 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-01 08:33 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-01 08:24 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\OpenOffice.org2
2007-12-01 08:00 --------- d-----w C:\Program Files\Giganology
2007-12-01 07:36 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-01 07:36 --------- d--h--r C:\Documents and Settings\ANTONI\Application Data\SecuROM
2007-12-01 07:33 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\ATI
2007-12-01 07:26 451,072 ----a-w C:\WINDOWS\Radeon Omega Drivers v3.8.330 Uninstall.exe
2007-12-01 07:03 --------- d-----w C:\Program Files\Tweak-XP
2007-12-01 06:23 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\VSRevoGroup
2007-11-30 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-11-30 01:43 99,776 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-11-30 01:43 388,000 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2007-11-30 01:43 32,288 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-11-30 01:31 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-30 01:28 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-30 01:25 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2007-11-30 01:23 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-11-30 01:23 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2007-11-29 09:33 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\Intel
2007-11-29 09:32 --------- d-----w C:\Program Files\Intel
2007-11-29 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2007-11-29 09:06 --------- d-----w C:\Program Files\VS Revo Group
2007-11-29 08:52 --------- d-----w C:\Program Files\Winamp
2007-11-29 08:50 --------- d-----w C:\Program Files\Java
2007-11-29 08:50 --------- d-----w C:\Program Files\Common Files\Java
2007-11-29 08:43 --------- d-----w C:\Program Files\IrfanView
2007-11-29 08:04 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-11-29 08:04 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-11-29 08:04 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-29 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-29 07:51 --------- d-----w C:\Program Files\Synaptics
2007-11-29 07:50 --------- d-----w C:\Program Files\CONEXANT
2007-11-29 07:49 --------- d-----w C:\Program Files\Realtek
2007-11-29 07:41 --------- d-----w C:\Documents and Settings\ANTONI\Application Data\ATI
2007-11-29 07:39 --------- d-----w C:\Program Files\ATI Technologies
2007-11-29 07:35 --------- d-----w C:\Program Files\IZArc
2007-11-29 05:49 --------- d-----w C:\Program Files\Foxit Software
2007-11-29 04:55 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-01-07_19.15.57.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-06 08:05:23 91,756 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-10 11:07:50 96,418 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-06 08:05:23 449,926 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-10 11:07:50 457,810 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe" [ ]
"RocketDock"="C:\Program Files\RocketDock\RocketDock .exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"AtiPTA"="atiptaxx.exe" [2006-02-22 08:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 19:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-29 15:04 219136]

R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2006-04-21 10:21]
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2006-04-21 10:21]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2006-04-21 10:22]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2006-04-21 10:22]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2006-04-21 10:22]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2006-04-21 10:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c4f5fa5-ac7c-11dc-a002-00163631ca12}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ce6672d-aae2-11dc-a001-00163631ca12}]
\Shell\AutoRun\command - G:\PStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8771f3fe-9ff4-11dc-9ff0-00163631ca12}]
\Shell\AutoRun\command - G:\PStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8d96381-a58c-11dc-9ffd-f00087db00f5}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8d96384-a58c-11dc-9ffd-f00087db00f5}]
\shell\explore\Command - boot.exe
\shell\open\Command - boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd17ddb7-a6ec-11dc-9ffe-f7669d6fd131}]
\Shell\Auto\command - G:\PegeFile.pif
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PegeFile.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edf2f4cb-a26c-11dc-9ff5-f94e7f48fb9a}]
\Shell\AutoRun\command - snikivv.exe
\Shell\explore\Command - snikivv.exe
\Shell\open\Command - snikivv.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fae64360-a7f0-11dc-9fff-00163631ca12}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 18:08:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 18:08:18
ComboFix-quarantined-files.txt 2008-01-10 11:08:17
ComboFix2.txt 2008-01-10 04:31:44
ComboFix3.txt 2008-01-07 12:16:09






Here's the new log from HJT :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:09:10, on 10/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\WINDOWS\explorer.exe
D:\DOWNLOADS\HiJackThis\HijackThis Application.exe

O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe" /0
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock .exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C25AFC76-3DCF-47B3-A53B-2B08BD16A950}: NameServer = 202.134.0.155,202.134.2.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3667 bytes


Sam, I don't have time to scan with Kaspersky right now.. Sorry, but I have many work to do at School.. And I'm using 56Kbps Dial-Up on my Internet connection.. I'll find another time and reply you if I've already scanned my computer. Sorry Sam.. Thank you very much for your help..

Edited by Anthonyn, 10 January 2008 - 06:22 AM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:43 AM

Posted 10 January 2008 - 06:15 PM

No problem. Just run it when you can and reply back with the log. This trojan infects a lot of files and the Kaspersky scan will pick up any that we missed. It's an important step because if we don't get them all the whole thing could come back.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:43 AM

Posted 31 January 2008 - 05:03 PM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users