Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Vundo Trojan


  • This topic is locked This topic is locked
9 replies to this topic

#1 Enrique Troncoso

Enrique Troncoso

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 20 February 2008 - 04:17 PM

Please see my attached hijackthis log and help me out to remove this trojan that is taking over my pc

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:36 PM, on 20/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=80744
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exe
O4 - HKLM\..\Run: [f87613ca] rundll32.exe "C:\WINDOWS\system32\rjrvliau.dll",b
O4 - HKLM\..\RunServices: [Microsoft] schost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6945 bytes



Thanks

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:23 AM

Posted 20 February 2008 - 07:17 PM

Hello Enrique Troncoso,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Enrique Troncoso

Enrique Troncoso
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 20 February 2008 - 11:59 PM

Here is both logs...separated by long line

ComboFix 08-02-21 - Enrique R. Troncoso 2008-02-20 23:47:42.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1465 [GMT -5:00]
Running from: C:\Documents and Settings\Enrique R. Troncoso\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Router
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\system32\aguqdgui.ini
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\jmjqlgbv.dll
C:\WINDOWS\system32\rjrvliau.dll
C:\WINDOWS\system32\uailvrjr.ini
C:\WINDOWS\system32\uoyeuspv.ini
C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini2
C:\WINDOWS\system32\ycgcruau.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-20 23:29 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-02-20 23:29 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-02-20 23:23 . 2008-02-20 23:23 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-02-20 23:23 . 2008-02-20 23:23 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-02-20 23:23 . 2008-02-20 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-02-20 23:19 . 2008-02-20 23:19 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-20 23:16 . 2008-02-20 23:16 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-20 22:09 . 2008-02-20 22:09 <DIR> d-------- C:\Program Files\Creative
2008-02-20 15:42 . 2008-02-20 15:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-20 14:38 . 2008-02-20 14:38 <DIR> d-------- C:\VundoFix Backups
2008-02-19 23:34 . 2008-02-19 23:34 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-19 23:18 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-19 23:18 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-19 23:18 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-19 23:13 . 2008-02-19 23:13 <DIR> d-------- C:\Documents and Settings\Enrique R. Troncoso\Application Data\Talkback
2008-02-19 23:12 . 2008-02-19 23:12 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-19 18:52 . 2008-02-19 18:52 4,096 --ah----- C:\._FORMULATOR Lorama TA-9 P 1U .Lic
2008-02-19 12:24 . 2008-02-19 12:24 <DIR> d-------- C:\Program Files\Lexmark_HostCD
2008-02-19 12:24 . 2004-01-12 01:32 307,200 --a------ C:\WINDOWS\system32\lexlog.dll
2008-02-19 12:24 . 2008-02-19 12:24 1,699 --a------ C:\WINDOWS\system32\LexFiles.ulf
2008-02-19 12:24 . 2008-02-19 12:24 1,050 --a------ C:\WINDOWS\system32\LexFiles.usr
2008-02-19 12:24 . 2008-02-19 12:24 507 --a------ C:\WINDOWS\LMAAQ2DD.ini
2008-02-19 12:20 . 2008-02-19 12:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-19 12:09 . 2000-08-10 11:02 91,912 --a------ C:\WINDOWS\system32\Csmsg32.ocx
2008-02-19 12:07 . 2008-02-19 12:07 <DIR> d-------- C:\Documents and Settings\ENRIQU~1~TRO\LOCALS~1
2008-02-19 12:06 . 1999-05-07 00:00 244,232 --a------ C:\WINDOWS\system32\MSFLXGRD.OCX
2008-02-19 12:06 . 1998-06-24 00:00 115,016 --a------ C:\WINDOWS\system32\Msinet.ocx
2008-02-19 12:05 . 1999-04-20 16:12 562,280 --a------ C:\WINDOWS\system32\Cfx4032.ocx
2008-02-19 12:05 . 1999-01-29 14:44 317,952 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2008-02-19 12:05 . 1995-10-25 15:59 133,904 --a------ C:\WINDOWS\system32\mfcans32.dll
2008-02-19 12:05 . 1999-08-03 18:50 119,296 --a------ C:\WINDOWS\system32\SfxBar.dll
2008-02-19 12:05 . 1995-10-25 15:59 109,056 --a------ C:\WINDOWS\system32\mfcuiw32.dll
2008-02-19 12:05 . 1995-10-25 15:59 108,032 --a------ C:\WINDOWS\system32\mfcuia32.dll
2008-02-19 12:04 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-02-19 11:59 . 2007-03-22 09:30 1,410,704 --a------ C:\WINDOWS\system32\FPSPR70.ocx
2008-02-19 11:54 . 2008-02-19 11:54 <DIR> d-------- C:\WINDOWS\Crystal
2008-02-19 11:54 . 2008-02-19 11:54 <DIR> d-------- C:\Program Files\Seagate Software
2008-02-19 11:54 . 2008-02-19 11:54 <DIR> d-------- C:\Program Files\Common Files\Formulator
2008-02-19 11:52 . 2008-02-19 11:52 <DIR> d-------- C:\Program Files\Formulator
2008-02-17 22:45 . 2008-02-17 22:45 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-02-17 22:40 . 2008-02-17 22:40 <DIR> d-------- C:\Program Files\Norton SystemWorks Premier
2008-02-17 22:38 . 2008-02-17 23:20 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-17 22:38 . 2008-02-17 23:20 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-17 22:38 . 2008-02-17 23:20 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-17 22:38 . 2008-02-17 23:20 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-17 22:37 . 2008-02-17 22:37 <DIR> d-------- C:\Program Files\Symantec
2008-02-17 22:37 . 2008-02-17 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-17 22:35 . 2008-02-17 22:35 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-17 22:30 . 2008-02-17 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-17 22:23 . 2008-02-17 22:23 38,400 --a------ C:\WINDOWS\system32\rqronki.dll.vir
2008-02-17 22:01 . 2008-02-17 22:02 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-17 22:01 . 2008-02-17 22:02 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-17 21:54 . 2008-02-17 21:54 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-16 21:27 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-16 21:27 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-16 21:27 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-16 21:25 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-02-16 21:16 . 2008-02-16 21:16 <DIR> d-------- C:\Program Files\MSBuild
2008-02-16 21:16 . 2008-02-16 21:16 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-16 21:12 . 2008-02-16 21:12 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-16 21:11 . 2008-02-16 21:11 <DIR> dr-h----- C:\MSOCache
2008-02-16 21:11 . 2008-02-16 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-16 20:14 . 2008-02-16 20:14 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-02-16 20:14 . 2008-02-16 20:14 <DIR> d-------- C:\Documents and Settings\Enrique R. Troncoso\Contacts
2008-02-16 20:13 . 2008-02-16 20:14 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-02-16 20:06 . 2008-02-16 20:06 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-16 20:05 . 2008-02-16 20:05 <DIR> d-------- C:\Program Files\Windows Live
2008-02-16 20:05 . 2008-02-16 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-16 19:36 . 2007-12-06 21:21 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-16 19:36 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-16 19:36 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-16 19:36 . 2007-12-06 21:21 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-16 19:36 . 2007-12-06 21:21 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-16 19:36 . 2007-12-06 21:21 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-16 19:36 . 2007-12-06 21:21 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-16 19:36 . 2007-12-06 21:21 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-16 19:36 . 2007-12-06 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-16 18:51 . 2006-05-05 04:41 453,120 --------- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-16 18:38 . 2008-02-16 18:38 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-02-16 16:47 . 2008-02-16 16:47 4,096 --ah----- C:\._?
2008-02-16 16:40 . 2008-02-16 16:40 <DIR> d--h----- C:\.Trashes
2008-02-16 16:40 . 2008-02-16 16:40 <DIR> d--h----- C:\.Spotlight-V100
2008-02-16 16:40 . 2008-02-16 16:40 4,096 --ah----- C:\._.Trashes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 22:42 --------- d-----w C:\Program Files\Intel
2008-02-16 22:41 --------- d-----w C:\Program Files\Boot Camp
2008-02-16 22:40 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-02-16 22:40 --------- d-----w C:\Program Files\Realtek
2008-02-16 22:40 --------- d-----w C:\Program Files\Motorola
2008-02-16 22:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 22:39 --------- d-----w C:\Program Files\SigmaTel
2008-02-16 22:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-16 22:37 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-16 22:37 --------- d-----w C:\Program Files\DIFX
2008-02-16 22:36 --------- d-----w C:\Program Files\Apple Software Update
2008-02-16 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-02-16 22:28 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-11 05:53 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 15:51 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-07 01:07 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-12-07 01:07 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-12-07 01:07 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-12-07 01:07 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-12-07 01:07 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-11-21 23:10 99,632 ----a-w C:\WINDOWS\system32\AppleTimeSrv.exe
2007-11-21 23:10 140,592 ----a-w C:\WINDOWS\system32\AppleOSSMgr.exe
2007-11-21 23:10 1,213,744 ----a-w C:\WINDOWS\system32\AppleControlPanel.exe
2007-11-21 20:52 9,715,200 ----a-w C:\WINDOWS\RTLCPL.exe
2007-11-21 20:52 86,016 ----a-w C:\WINDOWS\system32\stacsv.exe
2007-11-21 20:52 86,016 ----a-w C:\WINDOWS\SoundMan.exe
2007-11-21 20:52 69,632 ----a-w C:\WINDOWS\Alcmtr.exe
2007-11-21 20:52 229,376 ----a-w C:\WINDOWS\system32\stacapi.dll
2007-11-21 20:52 2,808,832 ----a-w C:\WINDOWS\alcwzrd.exe
2007-11-21 20:52 2,165,760 ----a-w C:\WINDOWS\MicCal.exe
2007-11-21 20:52 16,384,512 ----a-w C:\WINDOWS\RTHDCPL.exe
2007-11-21 20:52 117,248 ------w C:\WINDOWS\system32\staco.dll
2007-11-21 20:52 1,826,816 ----a-w C:\WINDOWS\SkyTel.exe
2007-11-21 20:52 1,191,936 ----a-w C:\WINDOWS\RtlUpd.exe
2007-11-21 20:52 1,097,728 ----a-w C:\WINDOWS\system32\stlang.dll
2007-11-21 20:51 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2007-11-21 20:51 49,152 ----a-w C:\WINDOWS\system32\ChCfg.exe
2007-11-21 20:49 147,456 ----a-w C:\WINDOWS\system32\IRW.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A101B5DC-A7FF-404F-9A1B-2DA193BC9FE1}]
C:\WINDOWS\system32\pmkji.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00 15360]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-17 21:54 53248]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 11:03 868352]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 10:19 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-10 19:14 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-10 19:14 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-10 19:14 138008]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 12:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-11-21 15:49 147456]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-11-21 18:10 419120]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-28 01:38 107112]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22 26248]
"NSWosCheck"="C:\Program Files\Norton SystemWorks Premier\osCheck.exe" [2007-12-03 01:41 25472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft"="schost.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 12:00 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^Enrique R. Troncoso^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Enrique R. Troncoso\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-11-21 18:10]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-11-21 18:10]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-11-21 15:50]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-11-21 15:49]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-11-21 15:50]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-11-21 15:50]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-11-21 15:49]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-11-21 15:49]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-11-21 15:49]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-11-21 15:49]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2007-11-21 15:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 22:36:38 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-21 04:29:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-18 03:41:56 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Premier\OBC.exe
"2008-02-18 04:12:36 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Enrique R. Troncoso.job"
- C:\PROGRA~1\NORTON~2\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 23:55:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-02-20 23:56:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-21 04:56:32
.
2008-02-20 04:34:27 --- E O F ---
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:27 PM, on 20/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=80744
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A101B5DC-A7FF-404F-9A1B-2DA193BC9FE1} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exe
O4 - HKLM\..\RunServices: [Microsoft] schost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7766 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:23 AM

Posted 21 February 2008 - 12:08 AM

Hello,

Do you run this program? http://www.infinite-madness.com/moo.php If not, do you know what these are?
C:\._?
C:\.Trashes
C:\.Spotlight-V100
C:\._.Trashes
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Enrique Troncoso

Enrique Troncoso
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 21 February 2008 - 08:05 AM

Tank tea cup for the reply,

I don't run http://www.infinite-madness.com/moo.php. This is new to me

unfortnatelly I do not know what those files are for. What i can tell is that i have Windows XP installed in a MacBook using a partition created by BootCamp.
do you this these files could be causing this problem?

please advice,

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:23 AM

Posted 21 February 2008 - 11:43 AM

Hello,

Okay then, let's see what they really are : Use Windows Search (Start > Search > For Files or Folders), to search for the following file:
._.Trashes

Please go to VirusTotal and submit the file for a scan and post the results in your next reply. Please do the same for this one : ._?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Enrique Troncoso

Enrique Troncoso
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 22 February 2008 - 08:26 AM

High tea cup:

Both analysis do not show infection on these two files:


File: ._?

Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.08 -
Authentium 4.93.8 2008.02.08 -
Avast 4.7.1098.0 2008.02.09 -
AVG 7.5.0.516 2008.02.09 -
BitDefender 7.2 2008.02.09 -
CAT-QuickHeal None 2008.02.08 -
ClamAV 0.92 2008.02.09 -
DrWeb 4.44.0.09170 2008.02.09 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5522 2008.02.08 -
Ewido 4.0 2008.02.09 -
FileAdvisor 1 2008.02.09 -
Fortinet 3.14.0.0 2008.02.09 -
F-Prot 4.4.2.54 2008.02.08 -
F-Secure 6.70.13260.0 2008.02.09 -
Ikarus T3.1.1.20 2008.02.09 -
Kaspersky 7.0.0.125 2008.02.09 -
McAfee 5226 2008.02.08 -
Microsoft 1.3204 2008.02.09 -
NOD32v2 2861 2008.02.09 -
Norman 5.80.02 2008.02.08 -
Panda 9.0.0.4 2008.02.09 -
Prevx1 V2 2008.02.09 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.09 -
Sunbelt 2.2.907.0 2008.02.09 -
Symantec 10 2008.02.09 -
TheHacker 6.2.9.215 2008.02.09 -
VBA32 3.12.6.0 2008.02.09 -
VirusBuster 4.3.26:9 2008.02.09 -
Webwasher-Gateway 6.6.2 2008.02.09 -
Additional information
Tamano archivo: 4096 bytes
MD5: a3944ee8c4f5b536981daf39a4b1d424
SHA1: cf871dbffe701af4a03fd292dfa26bc690944c70
PEiD: -


File .____ received on 02.22.2008 14:15:35 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.22 -
Authentium 4.93.8 2008.02.22 -
Avast 4.7.1098.0 2008.02.21 -
AVG 7.5.0.516 2008.02.22 -
BitDefender 7.2 2008.02.22 -
CAT-QuickHeal 9.50 2008.02.21 -
ClamAV 0.92.1 2008.02.22 -
DrWeb 4.44.0.09170 2008.02.22 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5555 2008.02.22 -
Ewido 4.0 2008.02.22 -
FileAdvisor 1 2008.02.22 -
Fortinet 3.14.0.0 2008.02.22 -
F-Prot 4.4.2.54 2008.02.22 -
F-Secure 6.70.13260.0 2008.02.22 -
Ikarus T3.1.1.20 2008.02.22 -
Kaspersky 7.0.0.125 2008.02.22 -
McAfee 5235 2008.02.21 -
Microsoft 1.3204 2008.02.22 -
NOD32v2 2895 2008.02.22 -
Norman 5.80.02 2008.02.22 -
Panda 9.0.0.4 2008.02.21 -
Prevx1 V2 2008.02.22 -
Rising 20.32.42.00 2008.02.22 -
Sophos 4.26.0 2008.02.22 -
Sunbelt 3.0.890.0 2008.02.22 -
Symantec 10 2008.02.22 -
TheHacker 6.2.9.226 2008.02.22 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.21 -
Webwasher-Gateway 6.6.2 2008.02.22 -
Additional information
File size: 4096 bytes
MD5: 54818b16a08c597cd95e6af276b88002
SHA1: 4b38aa814c8304de6fc4a064fc5f01a80fa34855
PEiD: -

#8 Enrique Troncoso

Enrique Troncoso
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 22 February 2008 - 08:31 AM

Just in case i am posting new Hijacklog:

there is one suspicious O2 - BHO: (no name) - {A101B5DC-A7FF-404F-9A1B-2DA193BC9FE1} - C:\WINDOWS\system32\pmkji.dll (file missing)

but i am not sure if i should fix this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:38 AM, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=80744
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A101B5DC-A7FF-404F-9A1B-2DA193BC9FE1} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exe
O4 - HKLM\..\RunServices: [Microsoft] schost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7604 bytes

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:23 AM

Posted 22 February 2008 - 02:49 PM

Hello,

I did some extra checking (thanks miekiemoes!) and those files are indeed good, so you're in good shape there. :blink:

You can check that entry, O2 - BHO: (no name) - {A101B5DC-A7FF-404F-9A1B-2DA193BC9FE1} - C:\WINDOWS\system32\pmkji.dll (file missing), with HijackThis, click Fix checked, and then do the following:

Please open Notepad and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A101B5DC-A7FF-404F-9A1B-2DA193BC9FE1}]

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

How is it running please? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:23 AM

Posted 03 March 2008 - 06:08 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users