Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iexplore.exe Using Up A Lot Of Resources When No Ie Window Is Open


  • This topic is locked This topic is locked
14 replies to this topic

#1 Raddue

Raddue

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 04 February 2008 - 05:33 PM

When using IE I got a strange error message that said "Internet Explorer cannot open page www.*.cl". I immediately believed myself to be infected with something so I ran an F-Protect Online Scan, an AVG scan, a scan with SpyBot and I am at this moment running a scan with Trend Micro HouseCall 6.5. So far, none of them have detected anything. When I open my Task Manager even when no IE windows are open, the process iexplore.exe is using 40 megabytes. :thumbsup:

For the life of me I can find nothing wrong but I know something's there. Help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:56 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\raddue\Desktop\BootZilla420\BZ 4.2.0\BZ\Utils\jkdefrag.7zSFX.exe
C:\DOCUME~1\raddue\LOCALS~1\Temp\7zS47.tmp\JKDefragGUI.exe
C:\Documents and Settings\raddue\Local Settings\Temp\7zS47.tmp\Programs\JkDefrag.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\raddue\Desktop\BootZilla420\BZ 4.2.0\BZ\Malware\HijackThis2_sfx.exe
C:\DOCUME~1\raddue\LOCALS~1\Temp\7zS48.tmp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: PowerFlash Class - {DC888631-57F5-4AF4-86B3-BDE5F854DCBF} - C:\WINDOWS\system32\pwfsh.dll
O3 - Toolbar: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173225637546
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://remote.teamlogicit.net/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\Software\..\Telephony: DomainName = Beaverton.cogentlogik.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C0ADB6E-D730-46EE-AF2A-B4735DCAA419}: NameServer = 10.1.2.20,10.1.1.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8882 bytes



BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 AM

Posted 15 February 2008 - 04:50 AM

Hi Raddue, :thumbsup:

If you still need help please post a new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide for use before posting a HijackThis Log , and I'll be happy to look at it for you.

Thanks for your patience. :blink:

#3 Raddue

Raddue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 22 February 2008 - 01:21 PM

Yes, I would still like help with this problem, and I have followed the directions in that thread.

Thank you!

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 AM

Posted 22 February 2008 - 03:05 PM

Hi Raddue, :thumbsup:

Looking forward to your HJT log. :blink:

#5 Raddue

Raddue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 22 February 2008 - 03:55 PM

That just might help, huh? Sorry 'bout that.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:37 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\DOCUME~1\raddue\LOCALS~1\Temp\vncviewer.exe
C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\raddue\Desktop\BootZilla420\BZ 4.2.0\BZ\Malware\HijackThis2_sfx.exe
C:\DOCUME~1\raddue\LOCALS~1\Temp\7zS35.tmp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: PowerFlash Class - {DC888631-57F5-4AF4-86B3-BDE5F854DCBF} - C:\WINDOWS\system32\pwfsh.dll
O3 - Toolbar: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [CmUsbAudio] RunDll32 cmcnfg2.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173225637546
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://remote.teamlogicit.net/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\Software\..\Telephony: DomainName = Beaverton.cogentlogik.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C0ADB6E-D730-46EE-AF2A-B4735DCAA419}: NameServer = 10.1.2.20,10.1.1.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8557 bytes



#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 AM

Posted 23 February 2008 - 05:39 AM

Hi Raddue, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

No need for the quotes by the way just copy/paste the log and use the Add Reply button.

Could you remove your version of HijackThis and follow instructions in step 9 of the Preparation Guide for use before posting a HijackThis Log to download, install and run HijackThis.

Thanks.

#7 Raddue

Raddue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 25 February 2008 - 01:21 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:27 AM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\raddue\Desktop\Victoria\victoria43.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: PowerFlash Class - {DC888631-57F5-4AF4-86B3-BDE5F854DCBF} - C:\WINDOWS\system32\pwfsh.dll
O3 - Toolbar: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [CmUsbAudio] RunDll32 cmcnfg2.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173225637546
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://remote.teamlogicit.net/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\Software\..\Telephony: DomainName = Beaverton.cogentlogik.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C0ADB6E-D730-46EE-AF2A-B4735DCAA419}: NameServer = 10.1.2.20,10.1.1.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8540 bytes

#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:17 AM

Posted 27 February 2008 - 02:45 PM

Hi Raddue, :thumbsup:

1.

When using IE I got a strange error message that said "Internet Explorer cannot open page www.*.cl". I immediately believed myself to be infected with something so I ran an F-Protect Online Scan, an AVG scan, a scan with SpyBot and I am at this moment running a scan with Trend Micro HouseCall 6.5. So far, none of them have detected anything. When I open my Task Manager even when no IE windows are open, the process iexplore.exe is using 40 megabytes.


Let's concentrate on the possibility of malware first. If you have more specific information on the error, that would be helpfull though.

2. Are you using a firewall? I see nothing in your log that would indicate that you have one installed and active.

If not I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Comodo Firewall Pro
Online Armor Free edition
Kerio

For a tutorial on Firewalls click: Understanding and Using Firewalls!

3. Run HijackThis, click the Config... button, then go to the Misc Tools section and click Open Uninstall Manager. You'll see a list of programs; click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

4. Please follow instructions for downloading and running ComboFix in: How to use ComboFix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with the uninstall_list.txt and a new HijackThis log.

#9 Raddue

Raddue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 29 February 2008 - 12:21 PM

ComboFix:

ComboFix 08-02-25.3 - raddue 2008-02-28 16:49:35.1 - NTFSx86
Running from: C:\Documents and Settings\raddue\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 )))))))))))))))))))))))))))))))
.

2008-02-22 10:46 . 2008-02-22 10:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-22 10:05 . 2008-02-22 10:08 33,255,424 --a------ C:\WINDOWS\system32\HKOBLBNV
2008-02-13 15:07 . 2008-02-13 15:08 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-07 08:49 . 2008-02-07 08:49 <DIR> d--hs---- C:\found.000
2008-02-04 14:25 . 2008-02-04 15:29 <DIR> d-------- C:\Documents and Settings\raddue\.housecall6.6
2008-02-04 14:15 . 2008-02-04 14:15 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-04 14:15 . 2007-07-25 14:24 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-04 14:15 . 2006-09-24 16:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2008-02-04 14:15 . 2007-03-10 12:51 282,624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-04 14:15 . 2004-01-25 17:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-02-04 14:15 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-02-04 14:15 . 2007-09-21 01:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-02-04 14:15 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-02-04 14:15 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-02-04 14:15 . 2007-10-03 16:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-02-04 09:10 . 2008-02-28 16:00 <DIR> d-------- C:\Recycled
2008-01-29 09:29 . 2004-08-16 12:00 20,480 --a------ C:\WINDOWS\crtsve.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 17:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-28 08:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-22 21:31 --------- d-----w C:\Documents and Settings\raddue\Application Data\AVG7
2008-02-13 18:18 --------- d-----w C:\Program Files\Prime95
2008-02-13 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-04 22:16 --------- d-----w C:\Program Files\Java
2008-02-04 18:56 --------- d-----w C:\Program Files\nnBackup
2008-01-14 23:26 --------- d-----w C:\Documents and Settings\raddue\Application Data\U3
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1}]
2007-12-10 14:03 1502232 --a------ C:\Program Files\TeamLogic_IT\tbTea1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]
2004-08-16 12:00 77824 --a------ C:\WINDOWS\system32\pwfsh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6F1AB7EE-9FA2-4A20-88A3-69F137C2C3A1}

[HKEY_CLASSES_ROOT\clsid\{6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6F1AB7EE-9FA2-4A20-88A3-69F137C2C3A1}"= C:\Program Files\TeamLogic_IT\tbTea1.dll [2007-12-10 14:03 1502232]

[HKEY_CLASSES_ROOT\clsid\{6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 19:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 19:17 118784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2007-02-01 12:22 1129232]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2007-01-31 12:03 1862112]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-01-31 12:01 140832]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 00:51 172032]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 17:24 913408]
"Kaseya Agent Service Helper"="C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe" [2007-06-04 20:04 192512]
"CmUsbAudio"="cmcnfg2.cpl" []
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 08:57 245760]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-12-12 10:16 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-10-13 17:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-03-23 19:17 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Iprip;Remote IPRIP Service;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:00]
R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\TeamLogic IT\Agent\AgentMon.exe" [2007-06-04 19:52]
R2 KaseyaAVService;Kaseya Security Service;"C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe" [2008-01-11 09:31]
R3 cmuda2;C-Media USB Audio Interface;C:\WINDOWS\system32\drivers\cmuda2.sys [2004-01-06 15:21]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 15:58]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 15:59]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\raddue\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [2007-12-13 11:14]
S3 PORTMON;PORTMON;C:\Documents and Settings\raddue\Desktop\BootZilla4\BootZilla\BZ\Utils\sysinternals\PORTMSYS.SYS []
S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys [2002-01-12 12:30]
S3 SIVDRIVER;SIV Kernel Driver;C:\WINDOWS\system32\Drivers\SIVX32.sys [2007-10-14 10:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19fc9964-bf0a-11dc-b461-0016769d164b}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19fc9965-bf0a-11dc-b461-0016769d164b}]
\Shell\Auto\command - N:\tah.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tah.exe

*Newly Created Service* - IPRIP
*Newly Created Service* - KASEYAAVSERVICE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 09:09:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-29 9:16:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-29 17:16:08
.
2008-02-13 11:05:14 --- E O F ---


uninstall_list.txt:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acronis True Image Workstation
Adobe Reader 7.0.9
Adobe Shockwave Player
AVG 7.5
C-Media USB WDM Audio Driver
DigitalPersona Password Manager 1.0.1
DivX Content Uploader
DivX Web Player
GetDataBack for NTFS
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
HP Color LaserJet 2820/2830/2840 2.0
HP Image Zone 4.7
ImgBurn (Remove Only)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Java™ 6 Update 3
Java™ 6 Update 4
Kaseya Agent
Kaspersky Online Scanner
K-Lite Codec Pack 3.6.5 Corporate Edition
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
neroxml
Norton PartitionMagic 8.0
PrimoPDF
PrimoPDF Redistribution Package
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB923789)
SigmaTel Audio
TeamLogic IT Toolbar
TrueCrypt
Update for Outlook 2007 Junk Email Filter (kb944965)
VCRedistSetup
VNC Free Edition 4.1.2
Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver


HiJack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:59 AM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: PowerFlash Class - {DC888631-57F5-4AF4-86B3-BDE5F854DCBF} - C:\WINDOWS\system32\pwfsh.dll
O3 - Toolbar: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [CmUsbAudio] RunDll32 cmcnfg2.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [repst] C:\WINDOWS\fsrep.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173225637546
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://remote.teamlogicit.net/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\Software\..\Telephony: DomainName = Beaverton.cogentlogik.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C0ADB6E-D730-46EE-AF2A-B4735DCAA419}: NameServer = 10.1.2.20,10.1.1.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8415 bytes

#10 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:05:17 AM

Posted 06 March 2008 - 02:17 AM

Hello Raddue :thumbsup:

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\crtsve.exe
C:\WINDOWS\system32\pwfsh.dll
C:\WINDOWS\fsrep.exe
Driver::
Iprip
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19fc9964-bf0a-11dc-b461-0016769d164b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19fc9965-bf0a-11dc-b461-0016769d164b}]


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Posted Image

#11 Raddue

Raddue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 06 March 2008 - 12:32 PM

ComboFix:

ComboFix 08-03-05.3 - raddue 2008-03-06 9:18:57.2 - NTFSx86
Running from: C:\Documents and Settings\raddue\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\raddue\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\crtsve.exe
C:\WINDOWS\fsrep.exe
C:\WINDOWS\system32\pwfsh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\crtsve.exe
C:\WINDOWS\fsrep.exe
C:\WINDOWS\system32\pwfsh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-05 12:22 . 2008-03-05 12:22 <DIR> d-------- C:\Program Files\CertExams.com Simulator
2008-03-05 12:22 . 2008-03-05 12:22 249,856 --------- C:\WINDOWS\Setup1.exe
2008-03-05 12:22 . 2008-03-05 12:22 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-03-03 09:03 . 2008-03-03 09:03 <DIR> d--hs---- C:\found.001
2008-02-22 10:46 . 2008-02-22 10:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-22 10:05 . 2008-02-22 10:08 33,255,424 --a------ C:\WINDOWS\system32\HKOBLBNV
2008-02-13 15:07 . 2008-02-13 15:08 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-07 08:49 . 2008-02-07 08:49 <DIR> d--hs---- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 17:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-06 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-05 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-05 20:21 --------- d-----w C:\Documents and Settings\raddue\Application Data\AVG7
2008-03-05 15:56 20,480 ----a-w C:\WINDOWS\fsrep.exe
2008-02-13 18:18 --------- d-----w C:\Program Files\Prime95
2008-02-04 22:16 --------- d-----w C:\Program Files\Java
2008-02-04 22:15 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-02-04 18:56 --------- d-----w C:\Program Files\nnBackup
2008-01-14 23:26 --------- d-----w C:\Documents and Settings\raddue\Application Data\U3
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1}]
2007-12-10 14:03 1502232 --a------ C:\Program Files\TeamLogic_IT\tbTea1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6F1AB7EE-9FA2-4A20-88A3-69F137C2C3A1}

[HKEY_CLASSES_ROOT\clsid\{6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6F1AB7EE-9FA2-4A20-88A3-69F137C2C3A1}"= C:\Program Files\TeamLogic_IT\tbTea1.dll [2007-12-10 14:03 1502232]

[HKEY_CLASSES_ROOT\clsid\{6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 19:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 19:17 118784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2007-02-01 12:22 1129232]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2007-01-31 12:03 1862112]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-01-31 12:01 140832]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 00:51 172032]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 17:24 913408]
"Kaseya Agent Service Helper"="C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe" [2007-06-04 20:04 192512]
"CmUsbAudio"="cmcnfg2.cpl" []
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 08:57 245760]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-12-12 10:16 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-10-13 17:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-03-23 19:17 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\TeamLogic IT\Agent\AgentMon.exe" -s []
R2 KaseyaAVService;Kaseya Security Service;"C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe" -s []
R3 cmuda2;C-Media USB Audio Interface;C:\WINDOWS\system32\drivers\cmuda2.sys [2004-01-06 15:21]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 15:58]
R3 KAPFA;KAPFA;C:\WINDOWS\system32\drivers\KAPFA.SYS [2007-05-11 09:31]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 15:59]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\raddue\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 PORTMON;PORTMON;C:\Documents and Settings\raddue\Desktop\BootZilla4\BootZilla\BZ\Utils\sysinternals\PORTMSYS.SYS []
S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys [2002-01-12 12:30]
S3 SIVDRIVER;SIV Kernel Driver;C:\WINDOWS\system32\Drivers\SIVX32.sys [2007-10-14 10:17]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 09:28:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\userinit.exe
.
**************************************************************************
.
Completion time: 2008-03-06 9:30:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 17:30:15
ComboFix2.txt 2008-02-29 17:16:18
.
2008-02-13 11:05:14 --- E O F ---






HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:52 AM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: TeamLogic IT Toolbar - {6f1ab7ee-9fa2-4a20-88a3-69f137c2c3a1} - C:\Program Files\TeamLogic_IT\tbTea1.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [CmUsbAudio] RunDll32 cmcnfg2.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173225637546
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://remote.teamlogicit.net/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\Software\..\Telephony: DomainName = Beaverton.cogentlogik.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C0ADB6E-D730-46EE-AF2A-B4735DCAA419}: NameServer = 10.1.2.20,10.1.1.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Beaverton.cogentlogik.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7726 bytes

Edited by Raddue, 06 March 2008 - 12:33 PM.


#12 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:05:17 AM

Posted 06 March 2008 - 01:51 PM

Hello Raddue :thumbsup:

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image

#13 Raddue

Raddue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 06 March 2008 - 04:53 PM

Thanks for the quick response!

Here's the log:


Scanning Report
Thursday, March 06, 2008 12:20:01 - 13:52:05

Computer name: TLI-BV-DSK02
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 3 malware found
AdWare.Win32.BHO (spyware)

* System

RemoteAdmin.Win32.WinVNC (spyware)

* System

Tracking Cookie (spyware)

* System

Statistics
Scanned:

* Files: 31035
* System: 3244
* Not scanned: 16

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 3
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{C325C3F9-F854-4D91-B83C-A6C95B13A86E}.BIN
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\09D0E08297FB531843D0377BE160DC6B_39237902-BDDD-4D48-ACF1-33BD5B643836
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0BB716C89C1540986CBEED7EFDE66072_39237902-BDDD-4D48-ACF1-33BD5B643836
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1E9DB8274AC4B1C3AC8A57038A072264_39237902-BDDD-4D48-ACF1-33BD5B643836
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2527044BDAD4D7668BF3FFDEC109996E_39237902-BDDD-4D48-ACF1-33BD5B643836
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\269F0B0814FCC377E8B7F540D035B499_39237902-BDDD-4D48-ACF1-33BD5B643836
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\434AAAA3EC29397F03AA5E8C04AA3D0E_39237902-BDDD-4D48-ACF1-33BD5B643836
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\44FD89B3E98B9E75B8EDF8BEE173D7A9_39237902-BDDD-4D48-ACF1-33BD5B643836
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A2A14E2404E0B2181D46EE342F90E215_39237902-BDDD-4D48-ACF1-33BD5B643836
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C1359F1B1173E1E366BD09FE55F8B03D_39237902-BDDD-4D48-ACF1-33BD5B643836

Options
Scanning engines:

* F-Secure USS: 2.20.0
* F-Secure Hydra: 2.6.7470, 2008-03-06
* F-Secure AVP: 7.0.171, 2008-03-06
* F-Secure Pegasus: 1.20.0, 2008-02-03
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

#14 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:05:17 AM

Posted 07 March 2008 - 01:49 PM

Hello Raddue :thumbsup:

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\fsrep.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Posted Image

#15 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:05:17 AM

Posted 27 March 2008 - 01:35 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users