Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unkown Trojan


  • Please log in to reply
3 replies to this topic

#1 banzaibob

banzaibob

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 19 February 2008 - 05:27 PM

I have been trying to detect /clean this computer for two weeks

PC is a laptop running XP pro with current updates ,and Kaspersky antivirus suite 6.03 corporate
Me first hint was some odd persistent connections showing in my boundary firewall for the office late one evening.
I thought all PC's would be off at that time. This one wasnt.
I traced the IP addresses to China

222.185.245.525
124.238.253..88
218.0.108.106
202.105.21.217

I tried dropping the connections but they quickly reestablished. So I setup a rule to block them.
While troubleshooting the laptop the next day the user said his network monitor showed unusual steady high data rates.
Using TCPmonitor and process monitor we found that a task named Firefox was causing the traffic. The user uninstalled Firefox and deleted the folders. When I allowed them the firewall showed the same IP connections to China.
We replaced the Corporate Kaspersky with the most current Demo version and it started blocking a process running in svchost that claims to be coming from c:\~program\mozilla\Firefox folder. This folder does not exist.
using the task ID I can kill 3 different svchosts tasks and then Laptop will run overnight without tripping the Kaspersky live protection. These tasks run about once every five minutes when the network cable is connected. They are silent when there is no network connection.

When Kaspersky blocks the tasks Ethereal logs also shows that the program is using DNS to find
NS1.3322.net
NS1.ORAY.NET
NS1.CHINA.COM
SHUA.2288.ORG
These sites trace back to the same IP's as above.

This traffic goes out when the network card is plugged into a a hub that is not connected to anything.
I have not logged the traffic that might occur if the DNS lookups were answered.


Kaspersky 7.0 antivirus scan and Antirootkit scans did not find anything

Microsoft Rootkit Detector did not find anything either

AVG antivirus install on harddrive and run from ultimate boot disk for windows does not find anything

adaware did not find anything

spybot search and destroy did not find anything when installed. When it was run from the ultimate boot disk it found some tracking cookies and a registry key that it deleted.

superantispyware running in safe mode found 2 more keys in registry that it fixed as well


Ran clamav bitdefender AVG and avira from the ultimate boot cd scanned with no resulting found.

Ran Trend micro from website and it found some things but crashed when it tried to fix them. I installed demo version onto harddrive and it said it fixed things
about 100 adware_memwatch entries , host file modification. (Spybot was used to innoculate the host file before this ran, web seem to indicate that this is the issue here)
2 spyware_trakwintective deleted registry keys with csid's

After all this scanning computer is still attempting to connect to china.

here is current hijackthis log. Any thoughts on how to determine what this is?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:00 PM, on 19/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mellis\Desktop\HijackThis.exe
C:\Program Files\OfficeView Pro\ovproWS.exe
C:\WINDOWS\system32\userinit.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enCA/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: OfficeView Pro.lnk = C:\Program Files\OfficeView Pro\ovproWS.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thevectorgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = thevectorgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thevectorgroup.com
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LDNP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\mellis\LOCALS~1\Temp\LDNP.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WLANKEEPER - IntelŪ Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8127 bytes

BC AdBot (Login to Remove)

 


#2 banzaibob

banzaibob
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 19 February 2008 - 05:29 PM

forgot to mention also ran several root kit detectors with no results.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 19 February 2008 - 10:08 PM

Hello banzaibob,

Welcome to Bleeping Computer :thumbsup: Looks like you've given it a good going over. :wacko:

Let's see what might be lurking in the registry :

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :blink:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 banzaibob

banzaibob
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 20 February 2008 - 01:22 PM

uninstall trendmicro antivirus and superantispyware (were the only currently running apps) and rebooted
ran combofix and got this
ComboFix 08-02-20.2 - MEllis 2008-02-20 11:04:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.209 [GMT -7:00]
Running from: E:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 10:18 . 2008-02-19 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-02-19 10:17 . 2008-02-19 10:17 <DIR> d-------- C:\TAV1600_1412
2008-02-17 10:45 . 2008-02-17 11:45 <DIR> d-------- C:\Documents and Settings\mellis\.housecall6.6
2008-02-14 13:35 . 2008-02-19 10:19 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-02-14 13:27 . 2008-02-19 10:19 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-02-12 11:34 . 2008-02-12 11:34 <DIR> d-------- C:\quarintine
2008-02-12 11:30 . 2008-02-12 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.clamwin
2008-02-12 09:47 . 2008-02-17 17:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 09:47 . 2008-02-17 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 08:22 . 2008-02-17 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 14:52 . 2008-02-20 10:55 <DIR> d-------- C:\Documents and Settings\mellis\Application Data\SUPERAntiSpyware.com
2008-02-07 13:44 . 2008-02-07 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-07 09:06 . 2008-02-07 09:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-05 16:45 . 2008-02-05 16:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-02-05 13:31 . 2008-02-20 10:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-05 13:31 . 2008-02-05 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 13:31 . 2008-02-05 13:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-04 08:41 . 2008-02-04 08:44 73,284 --a------ C:\WINDOWS\system32\drivers\FILEM70.SYS
2008-01-31 09:54 . 2008-01-31 09:54 <DIR> d-------- C:\quarantine
2008-01-24 12:49 . 2008-01-24 12:49 <DIR> d-------- C:\Documents and Settings\mellis\Application Data\Ahead
2008-01-21 11:36 . 2008-01-21 11:36 <DIR> d-------- C:\Documents and Settings\mellis\Application Data\Ethereal
2008-01-21 10:45 . 2008-01-21 10:45 <DIR> d-------- C:\Documents and Settings\mellis\Application Data\Lavasoft
2008-01-21 07:09 . 2008-01-21 07:09 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 00:30 --------- d-----w C:\Program Files\Lavasoft
2008-02-12 18:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\.clamwin
2008-02-11 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-30 17:24 --------- d-----w C:\Program Files\AutoCAD 2007
2008-01-30 14:18 --------- d-----w C:\Program Files\Kaspersky Lab
2008-01-23 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-21 17:26 --------- d-----w C:\Program Files\Common Files\Real
2008-01-18 13:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 13:53 --------- d-----w C:\Program Files\TOSHIBA
2008-01-14 13:57 --------- d-----w C:\Program Files\Google
2008-01-07 15:27 --------- d-----w C:\Documents and Settings\mellis\Application Data\Accubid
2007-12-24 14:57 --------- d-----w C:\Program Files\OfficeView Pro
2004-10-01 21:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 16:26 217088]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 07:25 1397760]
"ToolBoxFX"="C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 07:12 45056]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 04:00 143360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
OfficeView Pro.lnk - C:\Program Files\OfficeView Pro\ovproWS.exe [2003-01-22 19:24:36 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1439715068-2116947193-4139952577-1180\Scripts\Logon\0\0]
"Script"=Cal_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1439715068-2116947193-4139952577-1181\Scripts\Logon\0\0]
"Script"=Cal_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1439715068-2116947193-4139952577-1461\Scripts\Logon\0\0]
"Script"=Cal_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1439715068-2116947193-4139952577-1545\Scripts\Logon\0\0]
"Script"=Cal_login.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^mellis^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\mellis\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2006-02-10 20:40 2048000 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SEReg]
C:\SMS-3000\Bin\Reg\SEReg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Sysnet Unit"=3 (0x3)
"SysmacLink Unit"=3 (0x3)
"SysmacBoard Unit"=3 (0x3)
"SolidWorks Licensing Service"=3 (0x3)
"RsvcHost"=2 (0x2)
"RSLinx"=3 (0x3)
"RNADirMultiplexor"=3 (0x3)
"RNADirectory"=2 (0x2)
"RNADiagReceiver"=3 (0x3)
"RNADiagnosticsService"=2 (0x2)
"ose"=3 (0x3)
"OpcEnum"=3 (0x3)
"IDriverT"=3 (0x3)
"EventServer"=3 (0x3)
"EventClientMultiplexer"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"Harmony"=3 (0x3)
"dnWhoDisp"=3 (0x3)
"CPU_UNIT"=3 (0x3)
"CLK_UNIT0"=3 (0x3)

R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2006-09-19 20:36]
R2 DUNTLW;SA UNITELWAY Protocol;C:\WINDOWS\system32\drivers\duntlw.sys [1999-03-11 14:29]
R2 TPPORT;TPPORT;C:\WINDOWS\system32\drivers\TPPORT.sys [2003-09-17 13:05]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 07:26]
S1 abpicw2k;AB PIC/AIC+ Driver;C:\WINDOWS\system32\DRIVERS\abpicw2k.sys [2004-09-29 09:20]
S1 VirtualBackplane;A-B Virtual Backplane;C:\WINDOWS\system32\Drivers\VirtualBackplane.sys []
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [2000-04-04 12:27]
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys [2004-06-03 03:08]
S3 AlcrFilt;Alcor Micro Corp;C:\WINDOWS\System32\Drivers\AlcrFilt.sys [2003-04-28 16:20]
S3 Controller Link;Controller Link;C:\WINDOWS\system32\Drivers\ntclk.sys [1999-07-16 15:31]
S3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys [2005-09-20 09:22]
S3 LDNP;LDNP;C:\DOCUME~1\mellis\LOCALS~1\Temp\LDNP.exe [2008-01-17 16:00]
S3 PcmkWdm;%PcmkWdm.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\PcmkWdm.sys [2000-06-21 11:50]
S4 CLK_UNIT0;CLK_UNIT0;C:\Program Files\OMRON\FinsServerNT\bin\clkunit.exe [1999-05-26 19:46]
S4 CPU_UNIT;CPU_UNIT;C:\Program Files\OMRON\FinsServerNT\bin\CpuUnit.exe [1998-06-27 21:33]
S4 EventServer;Rockwell Event Server;"C:\Program Files\Common Files\Rockwell\EventServer.exe" [2005-06-23 16:29]
S4 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS [2004-01-12 11:07]
S4 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS [2004-01-12 11:07]
S4 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS [2004-01-12 11:07]
S4 SysmacBoard Unit;SysmacBoard Unit;C:\Program Files\OMRON\FinsServerNT\bin\SmapUnit.exe [1999-10-19 16:15]
S4 SysmacBoard;SysmacBoard;C:\WINDOWS\system32\Drivers\SmapNT.sys [1999-10-19 16:15]
S4 SysmacLink Unit;SysmacLink Unit;C:\Program Files\OMRON\FinsServerNT\bin\slkcons.exe [1998-06-29 22:39]
S4 SysmacLink;SysmacLink;C:\WINDOWS\system32\Drivers\ntslk.sys [1997-03-29 16:54]
S4 Sysnet Unit;Sysnet Unit;C:\Program Files\OMRON\FinsServerNT\bin\sntunit.exe [1999-05-20 14:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\Auto\command - winlogon.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL winlogon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{131b4348-8e57-11dc-a432-0012f01c58b8}]
\Shell\Auto\command - E:\winlogon.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL winlogon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9f32778-8349-11db-a2d7-0012f01c58b8}]
\Shell\Auto\command - E:\winlogon.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL winlogon.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 11:06:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-20 11:07:29
ComboFix-quarantined-files.txt 2008-02-20 18:07:02
.
2008-01-10 19:20:25 --- E O F ---


then I ran hijackthis without a reboot
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\mellis\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enCA/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: OfficeView Pro.lnk = C:\Program Files\OfficeView Pro\ovproWS.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thevectorgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = thevectorgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thevectorgroup.com
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LDNP - Unknown owner - C:\DOCUME~1\mellis\LOCALS~1\Temp\LDNP.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - IntelŪ Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7197 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users