Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo (virtumonde) Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 Amour

Amour

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 08 February 2008 - 09:29 AM

Hello. I'm running Windows XP. And I've done many super-slow scans of my computer, but none worked.

I have a Vundo (VirtuMundo) infection. Symptoms I have (but not always) are:
* Two undeletable icons on the desktop (Help and Support Center, Windows Update)
* Thousands of files with name from pos000.tmp to posFFF.tmp in C:\ or 'My Documents'
* popup messages about system unstable, instruction errors, dll missing, ...
* popup windows for advertising (storageprotector.com)
* A 99% usage, unkillable process (displayed name 'windows')

For the past two days, I spent my time crying and trying solutions (among others) in the following order, with failure for them all:

*Kaspersky Online Scanner
-finds Win32.Agent
-finds Win32.Pakes
*AVG Free Edition
-finds Trojan horse Generic9.AQNO
-finds Trojan horse Generic9.APXO
*SUPERAntiSpyware
-finds Vundo-Variant (PolyMorph-A, Resident, Small-A, ...)
-finds WinFixer
*VundoFix (by Atribune)
-finds something
*FixVundo (by Symantec)
-finds something
*VirtumundoBeGone in Safe Mode
-no effect apparently...
*Ad-Aware
-finds Win32.TrojanDownloader.Zlob
*Spybots S&D
-on first run, died around 40000/109940
-on second run, popup says it killed Win32.Inject.bw
-finds DirectTrack (cookie)
-finds Win32.Pakes.bqn (registry)
-finds Virtumonde
-finds Virtumonde.Dll
-finds Virtumonde.generic
-on cleaning, popups say important changes were detected, for example: entry=SpybotDeletingB5328, new data=command /c del "C:\Windows\system32\fccde.dll_old"
-after reboot, it did a third run:
-finds Virtumonde
-finds Virtumonde.Dll
-finds Virtumonde.generic
-after closing, popups say important changes were detected -> refused -> more and more popups of denied changes
*Stinger v3.8.0 (by McAfee)
-nothing detected, hours lost for nothing.

So now I finally run HijackThis, and I really hope one will find a solution. I can re-try one software if more details are required. I just hope it won't kill me if in the end the scan is too long.

----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09:48, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe"
O4 - HKLM\..\Run: [vlcrhenebk] c:\windows\system32\vlcrhenebk.exe vlcrhenebk
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK PCI&Cardbus Wireless LAN Utility.lnk = C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} (HardwareDetection Control) - http://fichiers.touslesdrivers.com/fichier...on_2_0_4_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8097F90-75A0-4B03-B462-DEB61417E093}: NameServer = 212.27.53.252,212.27.54.252
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFCFA5C4-4EA4-454C-A256-DC7EA9BEDE5A}: NameServer = 212.27.53.252,212.27.54.252
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:15 PM

Posted 08 February 2008 - 10:38 PM

Amour,

Welcome to the Bleeping Computer Forum, it looks like you are infected with the SDbot worm along with some Vundo, lets do this to start.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 Amour

Amour
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 10 February 2008 - 06:21 AM

Thank you ken545 for helping me.

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:


C:\WINDOWS\system32
:{4B9A1497-0817-47C4-9612-D5A1C53ACF57} 12
Total size: 12 bytes.
system32: deleted 12 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.


Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 12:01:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:2a,b1,62,70,01,e8,2a,fb,0b,0f,da,a5,00,ca,f6,be,ef,af,9e,25,91,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,72,d9,ff,82,cb,c9,0a,90,c6,24,0e,9d,72,fd,d3,d1,c4,..
"khjeh"=hex:19,5c,3b,3d,26,52,d5,d9,38,77,61,44,e0,dc,ff,78,c8,d0,68,cd,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:93,d7,0b,09,54,12,0b,b1,92,8b,cb,55,e0,f2,a4,09,31,d1,33,12,32,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:2a,b1,62,70,01,e8,2a,fb,0b,0f,da,a5,00,ca,f6,be,ef,af,9e,25,91,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,72,d9,ff,82,cb,c9,0a,90,c6,24,0e,9d,72,fd,d3,d1,c4,..
"khjeh"=hex:19,5c,3b,3d,26,52,d5,d9,38,77,61,44,e0,dc,ff,78,c8,d0,68,cd,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:93,d7,0b,09,54,12,0b,b1,92,8b,cb,55,e0,f2,a4,09,31,d1,33,12,32,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000071
"TracesSuccessful"=dword:00000001

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Documents and Settings\\Administrateur\\Bureau\\Antoine\\eMule0.48a\\emule.exe"="C:\\Documents and Settings\\Administrateur\\Bureau\\Antoine\\eMule0.48a\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\X-Chat 2\\xchat.exe"="C:\\Program Files\\X-Chat 2\\xchat.exe:*:Enabled:X-Chat IRC Client"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------


Files with Hidden Attributes:

Fri 8 Feb 2008 20,670 ..SH. --- "C:\WINDOWS\system32\euhndzoi.dllbox"
Sun 10 Feb 2008 24,962 ..SH. --- "C:\WINDOWS\system32\xtykoyyp.dllbox"
Fri 8 Feb 2008 21,388 ..SH. --- "C:\WINDOWS\system32\yljcozcs.dllbox"
Tue 10 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 27 Jun 2006 957,744 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e9811b94cd5b9de9045a0c889a8024ee\BIT2.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:32, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Lectra\Modaservice\modaserv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe"
O4 - HKLM\..\Run: [vlcrhenebk] c:\windows\system32\vlcrhenebk.exe vlcrhenebk
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK PCI&Cardbus Wireless LAN Utility.lnk = C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} (HardwareDetection Control) - http://fichiers.touslesdrivers.com/fichier...on_2_0_4_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8097F90-75A0-4B03-B462-DEB61417E093}: NameServer = 212.27.53.252,212.27.54.252
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFCFA5C4-4EA4-454C-A256-DC7EA9BEDE5A}: NameServer = 212.27.53.252,212.27.54.252
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe



#4 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:15 PM

Posted 10 February 2008 - 08:48 AM

Amour,

The SDbot worm is still present and should have been removed by the tool, it wont work if you don't run it in Safemode


Normal Mode:
Checking Files:

No Trojan Files Found


Boot to Safemode and run the tool again.

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode



Just paste your logs and reports into the thread, no need to quote it.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#5 Amour

Amour
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 10 February 2008 - 09:28 AM

I did run it in SafeMode. Maybe there is no SDbot. Or SDFix cannot fix it.

After that, I've been reading the bleepingcomputer board, and I took example on another thread to clean my computer.
I tried ComboFix, and now I think it's clean of Vundo.

This is my latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:15:07, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK PCI&Cardbus Wireless LAN Utility.lnk = C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} (HardwareDetection Control) - http://fichiers.touslesdrivers.com/fichier...on_2_0_4_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8097F90-75A0-4B03-B462-DEB61417E093}: NameServer = 212.27.53.252,212.27.54.252
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFCFA5C4-4EA4-454C-A256-DC7EA9BEDE5A}: NameServer = 212.27.53.252,212.27.54.252
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

I don't see any problem left on the computer. Do you?

Edited by Amour, 10 February 2008 - 09:29 AM.


#6 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:15 PM

Posted 10 February 2008 - 11:43 AM

Amour,

I don't see any problem left on the computer. Do you? <--Quite the opposite

While I can appreciate the frustration with being infected, jumping ahead of me to run tools is not helping me help you. Besides the SDBot worm, you did have a marker in your log for Vundo, just because you ran Combofix does not mean its gone. In relation to Vundo, the entry in your log is gone but there may be more. I need to see the Combofix log .

In relation to the SDBot worm, your still infected
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe <-- this is the SDbot worm. Removing this entry with HJT will not rid your system of this worm

Do this
Post the Combofix log for me to see,


Drag SDFix to the trash and download the latest version as that entry has been added to the database.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



Please read my instructions and not QUOTE your logs and reports

Edited by ken545, 10 February 2008 - 12:11 PM.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#7 Amour

Amour
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 10 February 2008 - 02:36 PM

ComboFix log: don't have it anymore. I deleted and cleaned my computer as much as possible.

SDFix:


Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 20:03:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:2a,b1,62,70,01,e8,2a,fb,0b,0f,da,a5,00,ca,f6,be,ef,af,9e,25,91,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,72,d9,ff,82,cb,c9,0a,90,c6,24,0e,9d,72,fd,d3,d1,c4,..
"khjeh"=hex:19,5c,3b,3d,26,52,d5,d9,38,77,61,44,e0,dc,ff,78,c8,d0,68,cd,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:93,d7,0b,09,54,12,0b,b1,92,8b,cb,55,e0,f2,a4,09,31,d1,33,12,32,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:2a,b1,62,70,01,e8,2a,fb,0b,0f,da,a5,00,ca,f6,be,ef,af,9e,25,91,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,72,d9,ff,82,cb,c9,0a,90,c6,24,0e,9d,72,fd,d3,d1,c4,..
"khjeh"=hex:19,5c,3b,3d,26,52,d5,d9,38,77,61,44,e0,dc,ff,78,c8,d0,68,cd,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:93,d7,0b,09,54,12,0b,b1,92,8b,cb,55,e0,f2,a4,09,31,d1,33,12,32,..

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Tue 10 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 27 Jun 2006 957,744 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e9811b94cd5b9de9045a0c889a8024ee\BIT2.tmp"

Finished!


HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:59, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK PCI&Cardbus Wireless LAN Utility.lnk = C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} (HardwareDetection Control) - http://fichiers.touslesdrivers.com/fichier...on_2_0_4_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8097F90-75A0-4B03-B462-DEB61417E093}: NameServer = 212.27.53.252,212.27.54.252
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFCFA5C4-4EA4-454C-A256-DC7EA9BEDE5A}: NameServer = 212.27.53.252,212.27.54.252
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

--
End of file - 5602 bytes

#8 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:15 PM

Posted 10 February 2008 - 05:53 PM

Amour,

Dont know why that entry wont go away, I am looking into it. In the meantime, lets start a over a bit.


Please download SuperAntiSpyware Free
Install the program
  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <----IMPORTANT
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.







Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.


Thanks for not posting with the quote box :thumbsup: Post the SAS log, the Combofix log and a new HJT log please

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#9 Amour

Amour
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 12 February 2008 - 02:09 PM

I did the SuperAntiSpyware scan on sunday evening. Note the address of the one and only tracking cookie found...
I was busy for two days (been on internet, using programs).
I did the ComboFix & HijackThis scans this tuesday evening.
As a reminder, we are now investing a possible SDBot infection.

SAS
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/11/2008 at 03:56 AM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 00:35:01

Memory items scanned : 348
Memory threats detected : 0
Registry items scanned : 4600
Registry threats detected : 0
File items scanned : 28144
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.bleepingcomputer[2].txt

ComboFix
ComboFix 08-02.05.3 - Administrateur 2008-02-12 19:53:33.3 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.271 [GMT 1:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-12 to 2008-02-12 ))))))))))))))))))))))))))))))))))))
.

2008-02-11 03:18 . 2008-02-11 03:18 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-10 19:43 . 2008-02-10 20:06 <REP> d-------- C:\SDFix
2008-02-10 13:04 . 2008-02-11 03:21 <REP> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-10 13:04 . 2008-02-11 03:18 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\SUPERAntiSpyware.com
2008-02-10 12:34 . 2008-02-10 12:41 354 ---hs---- C:\WINDOWS\system32\aagmplkb.ini
2008-02-10 11:45 . 2008-02-10 11:45 <REP> d-------- C:\WINDOWS\ERUNT
2008-02-08 15:03 . 2008-02-08 15:03 <REP> d-------- C:\Program Files\Trend Micro
2008-02-08 12:54 . 2008-02-08 13:31 259 --a------ C:\WINDOWS\wininit.ini
2008-02-08 11:32 . 2008-02-08 11:32 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-08 08:45 . 2008-02-08 08:45 38,400 --a------ C:\WINDOWS\system32\wvutuvw.dll.vir
2008-02-08 04:14 . 2008-02-08 04:14 <REP> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-07 20:31 . 2008-02-07 20:49 306 --a------ C:\WINDOWS\system32\SBFC.dat
2008-02-07 20:31 . 2008-02-07 20:31 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-02-07 20:13 . 2008-02-07 20:13 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-02-07 20:13 . 2008-02-07 20:13 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Sunbelt Software
2008-02-07 16:18 . 2008-02-07 20:53 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-07 16:18 . 2008-02-07 16:18 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-01-31 21:17 . 2008-01-31 21:17 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Lectra
2008-01-31 21:16 . 2003-12-19 14:02 806,589 -ra------ C:\WINDOWS\PVPICDIR.DLL
2008-01-31 21:16 . 2003-12-19 14:02 584,704 -ra------ C:\WINDOWS\PVFS.dll
2008-01-31 21:16 . 2003-12-19 14:02 284,672 -ra------ C:\WINDOWS\ACCUISR5.DLL
2008-01-31 21:16 . 2003-12-19 14:04 121,856 -ra------ C:\WINDOWS\system32\cjpeg.exe
2008-01-31 21:16 . 2003-12-19 14:04 38,400 -ra------ C:\WINDOWS\system32\BarVisD.dll
2008-01-31 21:16 . 2003-12-19 14:02 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL
2008-01-31 21:15 . 2008-01-31 21:16 <REP> d-------- C:\Program Files\Lectra
2008-01-31 21:15 . 2008-01-31 21:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lectra
2008-01-31 21:13 . 2008-01-31 21:16 <REP> d-------- C:\Program Files\Fichiers communs\Lectra
2008-01-20 00:20 . 2003-09-18 20:30 304,640 --a------ C:\WINDOWS\system32\hlvdd.dll
2008-01-20 00:20 . 2003-09-18 20:30 47,616 --a------ C:\WINDOWS\system32\drivershaspnt.sys
2008-01-20 00:12 . 2003-09-12 21:02 665,600 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2008-01-20 00:12 . 2002-01-10 03:01 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-01-20 00:12 . 2008-01-20 00:12 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2008-01-20 00:12 . 2008-01-20 00:12 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2008-01-20 00:12 . 2008-01-20 00:30 3,181 --a------ C:\WINDOWS\system32\config.hsp
2008-01-20 00:12 . 2008-01-20 00:12 383 --a------ C:\WINDOWS\system32\haspdos.sys
2008-01-20 00:11 . 2008-01-30 19:26 <REP> d-------- C:\Program Files\OptiTex 9
2008-01-20 00:11 . 2008-01-30 19:26 6,283 --a------ C:\WINDOWS\Optikad.ini
2008-01-20 00:07 . 2008-01-20 00:07 <REP> d-------- C:\Program Files\DAEMON Tools
2008-01-20 00:01 . 2008-01-20 00:01 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 11:10 --------- d-----w C:\Program Files\Bonjour
2008-02-08 13:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-08 08:10 --------- d-----w C:\Program Files\Fichiers communs\Adobe
2008-02-07 13:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-31 20:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 23:00 --------- d-----w C:\Program Files\DS-Monkey Audio Source
2008-01-05 22:52 --------- d-----w C:\Program Files\ffdshow
2007-12-17 08:16 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\uTorrent
2006-08-23 13:28 24,112 ----a-w C:\Documents and Settings\Administrateur\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:09 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 23:29 165784]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 21:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 17:02 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:09 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"= WinPrint.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2006-11-15 16:23]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 11:50]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\rtl8180.sys [2003-10-01 03:54]
S3 PCANDIS5_RETWIFI;PCANDIS5_RETWIFI Protocol Driver;C:\PROGRA~1\EEYEDI~1\RETINA~1\PCANDIS5_RETWIFI.SYS []
S3 PCANDIS5_WIFISCAN.SYS;PCANDIS5_WIFISCAN.SYS;C:\Program Files\eEye Digital Security\Retina Wireless Scanner\PCANDIS5_WIFISCAN.SYS []
S4 Modaservice;Modaservice;C:\Program Files\Lectra\Modaservice\modaserv.exe [1999-07-05 15:49]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 19:57:58
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-02-12 20:00:10 - machine was rebooted
.
2008-02-02 17:57:50 --- E O F ---

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:03:47, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK PCI&Cardbus Wireless LAN Utility.lnk = C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} (HardwareDetection Control) - http://fichiers.touslesdrivers.com/fichier...on_2_0_4_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8097F90-75A0-4B03-B462-DEB61417E093}: NameServer = 212.27.53.252,212.27.54.252
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFCFA5C4-4EA4-454C-A256-DC7EA9BEDE5A}: NameServer = 212.27.53.252,212.27.54.252
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

--
End of file - 5770 bytes

Edited by Amour, 12 February 2008 - 02:11 PM.


#10 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:15 PM

Posted 12 February 2008 - 06:25 PM

Hi,

Open Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\WINDOWS\system32\aagmplkb.ini
C:\WINDOWS\system32\wvutuvw.dll.vir
C:\WINDOWS\system32\WinPrint.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"= -

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



Try running SDfix again after you run Combofix

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#11 Amour

Amour
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 13 February 2008 - 02:07 AM

What I've done this morning:
* CFScript -> ComboFix
* SDFix
* HiJackThis
* ComboFix /u
* Completing the Windows Update pending

Here are the logs:

ComboFix
ComboFix 08-02.05.3 - Administrateur 2008-02-13 7:43:24.4 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.235 [GMT 1:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrateur\Bureau\CFScript.txt
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

FILE
C:\WINDOWS\system32\aagmplkb.ini
C:\WINDOWS\system32\WinPrint.exe
C:\WINDOWS\system32\wvutuvw.dll.vir
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aagmplkb.ini
C:\WINDOWS\system32\wvutuvw.dll.vir

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-13 to 2008-02-13 ))))))))))))))))))))))))))))))))))))
.

2008-02-13 06:57 . 2008-02-13 06:57 <REP> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-11 03:18 . 2008-02-11 03:18 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-10 19:43 . 2008-02-10 20:06 <REP> d-------- C:\SDFix
2008-02-10 13:04 . 2008-02-12 20:04 <REP> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-10 13:04 . 2008-02-11 03:18 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\SUPERAntiSpyware.com
2008-02-10 11:45 . 2008-02-10 11:45 <REP> d-------- C:\WINDOWS\ERUNT
2008-02-08 15:03 . 2008-02-08 15:03 <REP> d-------- C:\Program Files\Trend Micro
2008-02-08 12:54 . 2008-02-08 13:31 259 --a------ C:\WINDOWS\wininit.ini
2008-02-08 11:32 . 2008-02-08 11:32 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-08 04:14 . 2008-02-08 04:14 <REP> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-07 20:31 . 2008-02-07 20:49 306 --a------ C:\WINDOWS\system32\SBFC.dat
2008-02-07 20:31 . 2008-02-07 20:31 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-02-07 20:13 . 2008-02-07 20:13 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-02-07 20:13 . 2008-02-07 20:13 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Sunbelt Software
2008-02-07 16:18 . 2008-02-07 20:53 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-07 16:18 . 2008-02-07 16:18 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-01-31 21:17 . 2008-01-31 21:17 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Lectra
2008-01-31 21:16 . 2003-12-19 14:02 806,589 -ra------ C:\WINDOWS\PVPICDIR.DLL
2008-01-31 21:16 . 2003-12-19 14:02 584,704 -ra------ C:\WINDOWS\PVFS.dll
2008-01-31 21:16 . 2003-12-19 14:02 284,672 -ra------ C:\WINDOWS\ACCUISR5.DLL
2008-01-31 21:16 . 2003-12-19 14:04 121,856 -ra------ C:\WINDOWS\system32\cjpeg.exe
2008-01-31 21:16 . 2003-12-19 14:04 38,400 -ra------ C:\WINDOWS\system32\BarVisD.dll
2008-01-31 21:16 . 2003-12-19 14:02 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL
2008-01-31 21:15 . 2008-01-31 21:16 <REP> d-------- C:\Program Files\Lectra
2008-01-31 21:15 . 2008-01-31 21:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lectra
2008-01-31 21:13 . 2008-01-31 21:16 <REP> d-------- C:\Program Files\Fichiers communs\Lectra
2008-01-20 00:20 . 2003-09-18 20:30 304,640 --a------ C:\WINDOWS\system32\hlvdd.dll
2008-01-20 00:20 . 2003-09-18 20:30 47,616 --a------ C:\WINDOWS\system32\drivershaspnt.sys
2008-01-20 00:12 . 2003-09-12 21:02 665,600 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2008-01-20 00:12 . 2002-01-10 03:01 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-01-20 00:12 . 2008-01-20 00:12 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2008-01-20 00:12 . 2008-01-20 00:12 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2008-01-20 00:12 . 2008-01-20 00:30 3,181 --a------ C:\WINDOWS\system32\config.hsp
2008-01-20 00:12 . 2008-01-20 00:12 383 --a------ C:\WINDOWS\system32\haspdos.sys
2008-01-20 00:11 . 2008-01-30 19:26 <REP> d-------- C:\Program Files\OptiTex 9
2008-01-20 00:11 . 2008-01-30 19:26 6,283 --a------ C:\WINDOWS\Optikad.ini
2008-01-20 00:07 . 2008-01-20 00:07 <REP> d-------- C:\Program Files\DAEMON Tools
2008-01-20 00:01 . 2008-01-20 00:01 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 11:10 --------- d-----w C:\Program Files\Bonjour
2008-02-08 13:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-08 08:10 --------- d-----w C:\Program Files\Fichiers communs\Adobe
2008-02-07 21:17 40,448 ----a-w C:\WINDOWS\system32\NTSpool.exe
2008-02-07 13:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-31 20:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 23:00 --------- d-----w C:\Program Files\DS-Monkey Audio Source
2008-01-05 22:52 --------- d-----w C:\Program Files\ffdshow
2007-12-17 08:16 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\uTorrent
2007-12-03 15:34 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-11-29 11:52 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll
2006-08-23 13:28 24,112 ----a-w C:\Documents and Settings\Administrateur\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:09 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 23:29 165784]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 21:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 17:02 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:09 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2006-11-15 16:23]
R3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\rtl8180.sys [2003-10-01 03:54]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 11:50]
S3 PCANDIS5_RETWIFI;PCANDIS5_RETWIFI Protocol Driver;C:\PROGRA~1\EEYEDI~1\RETINA~1\PCANDIS5_RETWIFI.SYS []
S3 PCANDIS5_WIFISCAN.SYS;PCANDIS5_WIFISCAN.SYS;C:\Program Files\eEye Digital Security\Retina Wireless Scanner\PCANDIS5_WIFISCAN.SYS []
S4 Modaservice;Modaservice;C:\Program Files\Lectra\Modaservice\modaserv.exe [1999-07-05 15:49]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 07:47:29
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-02-13 7:49:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 06:49:23
ComboFix2.txt 2008-02-12 19:00:11
.
2008-02-02 17:57:50 --- E O F ---

SDFix

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 07:57:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:2a,b1,62,70,01,e8,2a,fb,0b,0f,da,a5,00,ca,f6,be,ef,af,9e,25,91,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,72,d9,ff,82,cb,c9,0a,90,c6,24,0e,9d,72,fd,d3,d1,c4,..
"khjeh"=hex:19,5c,3b,3d,26,52,d5,d9,38,77,61,44,e0,dc,ff,78,c8,d0,68,cd,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:93,d7,0b,09,54,12,0b,b1,92,8b,cb,55,e0,f2,a4,09,31,d1,33,12,32,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:2a,b1,62,70,01,e8,2a,fb,0b,0f,da,a5,00,ca,f6,be,ef,af,9e,25,91,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,72,d9,ff,82,cb,c9,0a,90,c6,24,0e,9d,72,fd,d3,d1,c4,..
"khjeh"=hex:19,5c,3b,3d,26,52,d5,d9,38,77,61,44,e0,dc,ff,78,c8,d0,68,cd,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:93,d7,0b,09,54,12,0b,b1,92,8b,cb,55,e0,f2,a4,09,31,d1,33,12,32,..

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Tue 10 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 27 Jun 2006 957,744 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e9811b94cd5b9de9045a0c889a8024ee\BIT2.tmp"

Finished!

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:01:36, on 13/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK PCI&Cardbus Wireless LAN Utility.lnk = C:\Program Files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility\RtWLan.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} (HardwareDetection Control) - http://fichiers.touslesdrivers.com/fichier...on_2_0_4_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8097F90-75A0-4B03-B462-DEB61417E093}: NameServer = 212.27.53.252,212.27.54.252
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFCFA5C4-4EA4-454C-A256-DC7EA9BEDE5A}: NameServer = 212.27.53.252,212.27.54.252
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

--
End of file - 5615 bytes

#12 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:15 PM

Posted 13 February 2008 - 04:52 AM

Hello,

Your log looks fine :thumbsup:
  • Your Java is out of date and leaving your system vulnerable.
  • Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
  • It should have an icon next to it:
    Posted Image
    Select it and click Remove.
  • Reboot your system.
  • Then go to the Sun Microsystems and install the update
  • Java Runtime Environment (JRE) 6 Update 4 <--This is what you need to download and install.
  • If you chose the online installation, it will prompt you to run the program.
  • If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
  • Then after install you can verify your installation here Sun Java Verify
I like to to do the offline installation and save the setup file in case I may need it in the future



How are things running now??

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#13 Amour

Amour
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 14 February 2008 - 05:37 PM

Perfect. Thanks a lot ken545. If you have a Paypal account, let me know and I'll give you a little something for the trouble.

#14 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:15 PM

Posted 15 February 2008 - 12:08 PM

Thanks Amour but this is a free service and the reason we do it is because we really despise the low life that write this garbage and enjoy helping nice people like yourself. If you still feel generous, you can donate to a local charity of your choice.

Stay Well,

Ken :thumbsup:

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#15 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:15 PM

Posted 25 February 2008 - 02:40 PM

Topic has been resolved

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users