Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Massive Infestation: Is It Gone Yet?


  • This topic is locked This topic is locked
3 replies to this topic

#1 gekkoe

gekkoe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 22 January 2008 - 07:49 AM

Hi folks,

I'm an experienced techy, but more of a programmer than a security expert. Your expertise would be much appreciated.

This is the log from a friend's computer. She picked up something nasty on Limewire. It's the worst infestation I've ever tried to clean and I'm not entirely sure I got it all. (It snuck back on me a couple of times.)

I read the following link and followed the directions before reading all the dire warnings about not using ComboFix. But I must have been lucky, as it doesn't seem to have caused problems.

http://www.techspot.com/vb/topic58138.html


I also ran stinger as instructed here.

No root kits were found. VundoFix removed a few files. I also removed something called StorageProtector and a trojan dropper that kept inserting itself in anything that I installed that put itself in the HKLM/.../Run key. (I was able to stop it from doing this by shutting down the permissions on this key temporarily while I worked though.)

There were well over 13,000 virus files on this computer, though it doesn't appear thus far that any of them actually damaged things. It looks as if the whole mess was designed to slow you down to an insane rate, and it worked rather well. Took me many hours just to get through the 15 steps in the link above even with increasing priorities on the apps I ran and doing my best to decrease them on the virus processes. Was a real bear.

So the real question is....is the &$*#)(&@) thing gone yet? Sure hope so, but I'd rather learn now than later if not.

Below is the ComboFix log from midway through the cleaning process. I'll follow it, after a delimiter, with the HijackThis file after I was all finished.

ComboFix 08-01-09.2 - deleteme 2008-01-16 5:23:22.1 - NTFSx86
Running from: C:\Documents and Settings\deleteme\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\storageprotector
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\ac
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\em
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\oid
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\user
C:\Program Files\inetget2
C:\Program Files\Router
C:\Program Files\Temporary
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cehhk.ini
C:\WINDOWS\system32\cehhk.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\eqkexoxt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\onppo.ini
C:\WINDOWS\system32\onppo.ini2
C:\WINDOWS\system32\oppno.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\wvuvsrs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-21 04:36 . 2008-01-21 04:36 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-21 04:09 . 2008-01-16 06:04 27,294 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-01-21 04:09 . 2008-01-16 06:04 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-01-21 04:09 . 2008-01-16 06:04 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-01-21 04:09 . 2008-01-16 06:04 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-01-21 04:09 . 2008-01-16 06:04 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-01-21 04:09 . 2008-01-16 06:04 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-01-21 04:09 . 2008-01-16 06:04 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-01-21 04:09 . 2008-01-16 06:04 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-01-21 03:21 . 2008-01-21 03:21 1,496 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-21 03:16 . 2008-01-21 03:16 <DIR> d-------- C:\Program Files\CA
2008-01-21 03:03 . 2008-01-21 03:05 <DIR> d-------- C:\Program Files\CCleaner
2008-01-21 02:52 . 2008-01-21 02:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-21 02:52 . 2008-01-21 02:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 02:19 . 2008-01-21 02:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 00:31 . 2008-01-21 00:31 <DIR> d-------- C:\Documents and Settings\deleteme\Application Data\Grisoft
2008-01-21 00:30 . 2007-05-30 02:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-20 21:26 . 2008-01-16 06:07 239,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-20 21:26 . 2008-01-16 06:04 3,836 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-20 20:56 . 2008-01-20 20:56 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-20 18:37 . 2008-01-20 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-20 18:37 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-20 18:37 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-20 18:37 . 2008-01-20 20:56 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-01-20 18:36 . 2008-01-16 06:07 353,365 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-20 18:30 . 2008-01-20 20:58 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-20 18:30 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-20 18:03 . 2008-01-16 05:53 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-16 16:20 . 2008-01-16 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-16 15:50 . 2008-01-16 15:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 11:21 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-16 09:53 . 2008-01-20 22:13 <DIR> d-------- C:\Documents and Settings\deleteme\.housecall6.6
2008-01-16 09:35 . 2008-01-16 09:48 <DIR> d-------- C:\Documents and Settings\deleteme\Application Data\Yahoo!
2008-01-16 05:11 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 00:11 . 2008-01-16 00:11 <DIR> d-------- C:\Documents and Settings\deleteme\Application Data\HP
2008-01-15 22:48 . 2004-08-26 23:54 <DIR> d-------- C:\Documents and Settings\deleteme\WINDOWS
2008-01-15 22:48 . 2007-04-27 14:14 <DIR> d-------- C:\Documents and Settings\deleteme\Application Data\SampleView
2008-01-15 22:48 . 2007-04-27 14:13 <DIR> d-------- C:\Documents and Settings\deleteme\Application Data\McAfee
2008-01-15 21:27 . 2008-01-15 21:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 21:27 . 2008-01-20 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-15 20:55 . 2008-01-15 21:00 <DIR> d-------- C:\TEMP\kav
2008-01-15 20:32 . 2008-01-15 20:32 <DIR> d-------- C:\KAV
2008-01-15 16:56 . 2007-12-04 03:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-15 16:56 . 2004-01-08 23:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-15 16:56 . 2007-12-04 02:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-15 16:56 . 2007-12-04 04:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-15 16:56 . 2007-12-04 04:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-15 16:56 . 2007-12-04 04:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-15 16:56 . 2007-12-04 04:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-15 16:56 . 2007-12-04 04:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-15 16:55 . 2008-01-15 16:55 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-15 15:06 . 2008-01-15 21:14 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-15 14:45 . 2004-08-26 23:54 <DIR> d-------- C:\Documents and Settings\Administrator.KARI-LAPTOP\WINDOWS
2008-01-15 14:45 . 2007-04-27 14:14 <DIR> d-------- C:\Documents and Settings\Administrator.KARI-LAPTOP\Application Data\SampleView
2008-01-15 14:45 . 2007-04-27 14:13 <DIR> d-------- C:\Documents and Settings\Administrator.KARI-LAPTOP\Application Data\McAfee
2008-01-13 11:27 . 2008-01-13 11:27 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-13 10:15 . 2008-01-13 10:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-13 10:15 . 2008-01-13 10:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-12 19:51 . 2008-01-15 14:37 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2008-01-12 19:50 . 2008-01-15 14:37 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-12 19:50 . 2008-01-15 14:37 118,784 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-11 20:46 . 2008-01-20 19:41 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-11 20:40 . 2008-01-11 20:40 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-11 20:37 . 2008-01-11 20:38 <DIR> d-------- C:\WINDOWS\system32\vt8
2008-01-11 20:37 . 2008-01-11 20:38 <DIR> d-------- C:\WINDOWS\system32\mp2
2008-01-11 20:37 . 2008-01-12 19:46 <DIR> d-------- C:\WINDOWS\system32\ez4
2008-01-11 20:37 . 2008-01-16 03:42 <DIR> d-------- C:\WINDOWS\system32\edcA18
2008-01-11 20:37 . 2008-01-11 20:37 <DIR> d-------- C:\WINDOWS\system32\che9
2008-01-11 20:37 . 2008-01-11 20:37 <DIR> d-------- C:\TEMP\Ryuan1
2008-01-11 20:37 . 2008-01-11 20:37 39,424 --a------ C:\WINDOWS\system32\efcaaxx.dll.vir
2008-01-11 20:31 . 2008-01-15 09:59 <DIR> d-------- C:\Program Files\BrowsingAdvisor
2007-12-22 19:36 . 2007-12-22 19:37 50 --a------ C:\WINDOWS\cdplayer.ini
2007-12-20 10:32 . 2008-01-14 09:25 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 12:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 06:02 --------- d-----w C:\Program Files\QuickTime
2008-01-21 05:48 --------- d-----w C:\Program Files\iTunes
2008-01-21 05:41 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-01-21 05:41 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-21 03:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-16 11:59 22 ----a-w C:\WINDOWS\Fonts\x.zip
2008-01-15 01:11 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-14 19:26 --------- d-----w C:\Program Files\Google
2008-01-14 05:29 --------- d-----w C:\Program Files\Incomplete
2007-12-13 19:54 --------- d-----w C:\Program Files\Illustrator CS
2007-12-02 10:28 --------- d-----w C:\Program Files\Pure Networks
2007-11-24 22:50 --------- d-----w C:\Program Files\Plus!
2007-11-24 22:00 --------- d-----w C:\Program Files\Common Files\LogiShrd
2007-11-24 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-11-19 04:49 --------- d-----w C:\Program Files\DIFX
2007-11-16 08:10 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-16 06:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2004-08-04 19:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 19:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-20 06:26 1,216 --sh--w C:\WINDOWS\Twunk_16.dll
2004-08-20 06:26 1,216 --sh--w C:\WINDOWS\Twunk_32.dll
2004-08-04 19:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 19:00 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 19:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 19:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 19:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 19:00 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.
<pre>
----a-w			39,792 2008-01-16 00:39:34  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w			79,224 2008-01-16 07:59:32  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w			50,688 2008-01-16 00:37:59  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w		   185,632 2008-01-16 00:39:36  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			32,768 2008-01-16 07:59:03  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w		   139,264 2008-01-16 00:37:07  C:\Program Files\Digital Media Reader\shwicon2k .exe
----a-w		   116,224 2008-01-16 00:39:45  C:\Program Files\eFax Messenger 4.3\J2GDllCmd .exe
----a-w			68,856 2008-01-16 07:59:43  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		 6,731,312 2008-01-21 04:43:48  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas  .exe
----a-w			49,152 2008-01-16 07:59:28  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   257,088 2008-01-16 00:39:03  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			83,608 2008-01-16 07:59:24  C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w		   231,952 2008-01-16 22:14:42  C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w		 1,694,208 2008-01-15 03:25:05  C:\Program Files\Messenger\msmsgs .exe
----a-w		22,880,040 2008-01-14 23:42:54  C:\Program Files\Skype\Phone\Skype .exe
----a-w		   688,218 2008-01-16 00:37:45  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w			98,394 2008-01-16 00:37:31  C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
----a-w		   919,016 2008-01-21 04:45:49  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w		   158,208 2008-01-21 02:35:05  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w		   212,992 2008-01-16 00:37:03  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w			15,360 2008-01-16 07:14:37  C:\WINDOWS\system32\ctfmon .exe
----a-w		   118,784 2008-01-16 00:37:10  C:\WINDOWS\system32\hkcmd .exe
----a-w		   155,648 2008-01-16 00:37:08  C:\WINDOWS\system32\igfxtray .exe
----a-w		   155,648 2008-01-16 00:37:24  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49b7815f-3477-4ea9-8422-b39c4a50c393}]
C:\WINDOWS\system32\mhiwnjvr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B7D223-86B9-40D9-B201-37F99AB2302A}]
C:\WINDOWS\system32\khhec.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9646b741-02df-424b-91ed-e3b525fac012}]
C:\WINDOWS\system32\iakgaoa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-20 20:56 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1E96EDC-E0C8-BE98-1F15-C29DBED83B53}]
2007-12-30 10:49 1019904 --a------ C:\Program Files\BrowsingAdvisor\BrowsingAdvisor-1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-20 20:56 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-01-31 12:00 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VETMSGNT"=2 (0x2)
"CAISafe"=2 (0x2)

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-05-31 10:43]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-03-21 15:57]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-03-16 01:39]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-05-31 10:43]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-07-24 17:00]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-03-21 13:31]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-03-27 10:32]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-03-23 16:01]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-03-05 19:36]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-03-19 16:06]
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 06:08:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 6:13:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 16:13:19
.
2008-01-09 07:02:42 --- E O F ---




********************HIJACKTHIS FILE FOLLOWS**************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31 AM, on 2008-01-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Trend Micro\HijackThis\kekahu.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: {393c05a4-c93b-2248-9ae4-7743f5187b94} - {49b7815f-3477-4ea9-8422-b39c4a50c393} - C:\WINDOWS\system32\mhiwnjvr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53B7D223-86B9-40D9-B201-37F99AB2302A} - C:\WINDOWS\system32\khhec.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9646b741-02df-424b-91ed-e3b525fac012} - C:\WINDOWS\system32\iakgaoa.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: BrowsingAdvisor - {F1E96EDC-E0C8-BE98-1F15-C29DBED83B53} - C:\Program Files\BrowsingAdvisor\BrowsingAdvisor-1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - Unknown owner - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7225 bytes



Thanks Much,

Gekkoe

BC AdBot (Login to Remove)

 


m

#2 gekkoe

gekkoe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 22 January 2008 - 08:07 AM

Forgot to mention....

The windows installer keeps popping up at odd times trying to install Office (which is already installed, far as I know) and there was a repeated attempt to find drivers for "Mass Storage Controller" that I finally disabled because it kept nagging me at the beginning of every boot up.

Wasn't sure if either or both of these was virus related.

Also I was able to (seemingly) work without the viruses running by doing a diagnostic boot with msconfig or booting in safe mode. But when I turned just the services back on I had what seemed to be virus activity again. This lead me to believe that one or more of the critters had installed itself as a service.

It all seems to be clear now except the Office install dialogs and the Mass Storage Controller.... But I'm not a very trusting soul.

Thanks again,

Gekkoe

Edited by gekkoe, 22 January 2008 - 08:09 AM.


#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:37 AM

Posted 02 February 2008 - 04:04 PM

Hello gekkoe,

Sorry for the late reply, but as you can see we handle more than our fair share of logs. If you still have problems please post a fresh HijackThis log and we can begin the cleaning process.

Regards
SNOWHITE
Posted Image

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:37 AM

Posted 10 February 2008 - 06:08 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users