Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got Infected By Trojan...


  • Please log in to reply
11 replies to this topic

#1 Rubiks

Rubiks

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 21 February 2008 - 12:15 PM

Hi,
I have a little problem. One site got hacked(sort of). So i got a trojan...
My computer was fairly new so i didn't have anti-virus installed, but i think i got some kind of an alarm message. Later when i read the site's news and realised i got a problem I installed Bit-defender. It found some files an deleted them but every time i restarted my computer or restored my internet connection Bit-defender found again that trojan. But now there have been many other types of trojans. I don't know what to do next. Here are some viruses Bit-defender has found and i have written down:
early ones: Trojan.Kobcka.BE ; Trojan.Pandex.L
Also what i remember: Trojan.Dropper.RPG and some Trojan.Downloaders or something.
Now it finds: Generic.Malware.dld!!.4F44AA5D
Here is the hijackthis report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:46, on 21.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Bit\bdmcon.exe
E:\Bit\bdagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\Bit\vsserv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Microsoft copyright - {5DF6AFEE-2291-4041-9A74-354624861746} - judgemq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] "E:\Bit\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "E:\Bit\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - E:\Bit\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 3149 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 February 2008 - 08:12 AM

Hi Rubiks and Welcome to the forums. :thumbsup:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#3 Rubiks

Rubiks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 23 February 2008 - 12:08 PM

Malwarebytes' Anti-Malware log:
Malwarebytes' Anti-Malware 1.05
Database version: 396

Scan type: Quick Scan
Objects scanned: 21940
Time elapsed: 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pharma.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\other.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\finance.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adult.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lt.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\0_exception.nls (Trojan.Tibs) -> Quarantined and deleted successfully.
It didn't take long and it didn't prompt a restart.
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:04:38, on 23.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Bit\bdmcon.exe
E:\Bit\bdagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
E:\Bit\vsserv.exe
E:\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Microsoft copyright - {5DF6AFEE-2291-4041-9A74-354624861746} - judgemq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] "E:\Bit\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "E:\Bit\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - E:\Bit\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 3110 bytes

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 February 2008 - 02:13 PM

Looks better allready...Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Microsoft copyright - {5DF6AFEE-2291-4041-9A74-354624861746} - judgemq.dll (file missing)

O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


#5 Rubiks

Rubiks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 24 February 2008 - 04:37 AM

main:
Deckard's System Scanner v20071014.68
Run by renno on 2008-02-24 11:26:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as renno.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:19, on 24.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Bit\bdmcon.exe
E:\Bit\bdagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
E:\Bit\vsserv.exe
I:\Downloadsfromnet\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\renno.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] "E:\Bit\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "E:\Bit\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - E:\Bit\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 2842 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080224-112236-922 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080224-112237-514 O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
backup-20080224-112237-735 O2 - BHO: Microsoft copyright - {5DF6AFEE-2291-4041-9A74-354624861746} - judgemq.dll (file missing)

-- File Associations -----------------------------------------------------------

.chm - unable to read key
.chm - unable to read key
.cpl - cplfile - shell\runas\command - unable to read value
.hlp - hlpfile - DefaultIcon - unable to read value
.hlp - hlpfile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 bdpredir - e:\bit\bdpredir.sys <Not Verified; Softwin SRL; BitDefender 10>

S0 Prg30 - c:\windows\system32\drivers\prg30.sys (file missing)
S0 Rpl32 - c:\windows\system32\drivers\rpl32.sys (file missing)
S0 Rpv72 - c:\windows\system32\drivers\rpv72.sys (file missing)
S1 smtpdrv - c:\windows\system32\drivers\smtpdrv.sys (file missing)
S3 Ip6Fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 RivaTuner32 - e:\rivatuner\rivatuner32.sys
S3 TCCrystalCpuInfo - e:\temp\tccpuinfo.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-01-24 and 2008-02-24 -----------------------------

2008-02-23 23:24:50 0 dr-h----- C:\Documents and Settings\renno\Recent
2008-02-23 19:00:33 0 d-------- C:\Documents and Settings\renno\Application Data\Malwarebytes
2008-02-23 19:00:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 18:43:16 0 d-------- C:\Program Files\Trend Micro
2008-02-08 15:40:46 0 d-------- C:\WINDOWS\system32\appmgmt
2008-01-24 16:03:32 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-24 16:03:32 0 d-------- C:\WINDOWS\system32\LogFiles


-- Find3M Report ---------------------------------------------------------------

2008-02-23 23:24:52 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-02-17 18:01:44 0 d-------- C:\Documents and Settings\renno\Application Data\OpenOffice.org2
2008-02-08 15:41:14 0 d-------- C:\Program Files\Common Files
2008-02-07 21:10:41 783 --a------ C:\WINDOWS\mozver.dat
2008-02-07 16:43:54 23 --a------ C:\WINDOWS\popcinfot.dat
2008-01-21 14:15:58 0 d-------- C:\Program Files\SystemRequirementsLab
2008-01-21 14:15:58 0 d-------- C:\Documents and Settings\renno\Application Data\SystemRequirementsLab
2008-01-14 20:23:40 0 d-------- C:\Documents and Settings\renno\Application Data\dvdcss
2008-01-13 13:15:55 0 d-------- C:\Documents and Settings\renno\Application Data\teamspeak2
2008-01-11 21:58:56 0 d-------- C:\Documents and Settings\renno\Application Data\vlc
2008-01-08 15:11:01 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-07 15:45:25 0 d-------- C:\Documents and Settings\renno\Application Data\Sun
2008-01-07 15:44:46 0 d-------- C:\Program Files\Java
2008-01-07 15:43:42 0 d-------- C:\Program Files\Common Files\Java
2008-01-02 22:26:46 0 d-------- C:\Documents and Settings\renno\Application Data\U3
2007-12-24 18:16:56 913408 --a------ C:\WINDOWS\system32\xreglib.dll
2007-12-24 16:35:50 0 d-------- C:\Documents and Settings\renno\Application Data\Bitdefender
2007-12-14 16:39:06 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-12 19:31:00 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-12-12 01:26:03 62 --ahs---- C:\Documents and Settings\renno\Application Data\desktop.ini
2007-12-11 23:31:46 0 -rahs---- C:\MSDOS.SYS
2007-12-11 23:31:46 0 -rahs---- C:\IO.SYS
2007-12-11 23:31:46 0 --a------ C:\CONFIG.SYS
2007-12-11 23:31:46 0 --a------ C:\AUTOEXEC.BAT
2007-12-11 23:30:41 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19.11.2007 18:42]
"nwiz"="nwiz.exe" [19.11.2007 18:42 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [19.11.2007 18:42]
"BDMCon"="E:\Bit\bdmcon.exe" [24.12.2007 18:15]
"BDAgent"="E:\Bit\bdagent.exe" [24.12.2007 18:15]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 01:11]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoStartMenuMFUprogramsList"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoStartBanner"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoStartMenuMFUprogramsList"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoStartBanner"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Prg30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rpl32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rpv72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService WebClient LmHosts upnphost SSDPSRV




-- End of Deckard's System Scanner: finished at 2008-02-24 11:26:36 ------------




extra:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6300 @ 1.86GHz
CPU 1: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of Memory in Use: 14%
Physical Memory (total/avail): 2046.48 MiB / 1748.07 MiB
Pagefile Memory (total/avail): 2920.69 MiB / 2721.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.31 MiB

C: is Fixed (NTFS) - 4.88 GiB total, 2.79 GiB free.
D: is Fixed (NTFS) - 4.88 GiB total, 3.85 GiB free.
E: is Fixed (NTFS) - 4.88 GiB total, 4.53 GiB free.
F: is Fixed (NTFS) - 24.41 GiB total, 3.78 GiB free.
G: is Fixed (NTFS) - 263.92 GiB total, 234.9 GiB free.
H: is CDROM (No Media)
I: is Fixed (NTFS) - 97.65 GiB total, 93.4 GiB free.
J: is Fixed (NTFS) - 195.55 GiB total, 194.37 GiB free.
K: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - WDC WD3200AAKS-00VYA0 - 298.09 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 4.88 GiB - D:
\PARTITION1 - Installable File System - 4.88 GiB - E:
\PARTITION2 - Installable File System - 24.41 GiB - F:
\PARTITION3 - Installable File System - 263.92 GiB - G:

\\.\PHYSICALDRIVE0 - WDC WD3200JD-22KLB0 - 298.09 GiB - 3 partitions
\PARTITION0 (bootable) - MS-DOS V4 Huge - 4.88 GiB - C:
\PARTITION1 - Installable File System - 97.65 GiB - I:
\PARTITION2 - Installable File System - 195.55 GiB - J:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\renno\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RENNOPC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\renno
LOGONSERVER=\\RENNOPC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
sourcesdk=f:\program files\steam\steamapps\qlar\sourcesdk
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=E:\TEMP
TMP=E:\TEMP
USERDOMAIN=RENNOPC
USERNAME=renno
USERPROFILE=C:\Documents and Settings\renno
VProject=f:\program files\steam\steamapps\qlar\half-life 2 deathmatch\hl2mp
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

renno (admin)


-- Add/Remove Programs ---------------------------------------------------------

Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
BitDefender Antivirus Plus v10 --> MsiExec.exe /I{F9FFD19E-B9BA-4C0C-B088-A385F9E9A15B}
CounterStrike 1.6 from VSI (Version 1.02) --> F:\PROGRA~1\Valve\CSTRIK~1.6\UNWISE.EXE F:\PROGRA~1\Valve\CSTRIK~1.6\ins_cs16_vsi102.log
DivX Web Player --> E:\DivXwebplayer\DivXWebPlayerUninstall.exe /PLUGIN
DScaler 5 Mpeg Decoders --> "E:\DScaler5\unins000.exe"
Far Cry --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC} /l2057
Half-Life 2: Deathmatch --> "F:\Program Files\Steam\steam.exe" steam://uninstall/320
Half-Life 2: Episode One --> "F:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Lost Coast --> "F:\Program Files\Steam\steam.exe" steam://uninstall/340
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Malwarebytes' Anti-Malware --> "E:\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.12) --> E:\Firefox\uninstall\helper.exe
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
PunkBuster Services --> C:\WINDOWS\system32\pbsvc.exe -u
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RivaTuner v2.06 --> "E:\RivaTuner\uninstall.exe"
Source SDK --> "F:\Program Files\Steam\steam.exe" steam://uninstall/211
Source SDK Base --> "F:\Program Files\Steam\steam.exe" steam://uninstall/215
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Zoom Player (remove only) --> "E:\Zoom Player\uninstall.exe"
TeamSpeak 2 RC2 --> E:\Teamspeak2_RC2\unins000.exe
Unreal Tournament --> F:\Program Files\UT\System\Setup.exe uninstall "UnrealTournament"
Valve Hammer Editor --> F:\PROGRA~1\VALVEH~1\UNWISE.EXE F:\PROGRA~1\VALVEH~1\INSTALL.LOG
VideoLAN VLC media player 0.8.6d --> E:\VLC\uninstall.exe
Winamp (remove only) --> "E:\Winamp\UninstWA.exe"
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
Xvid 1.1.3 final uninstall --> "E:\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type164 / Warning
Event Submitted/Written: 02/21/2008 08:02:22 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type163 / Warning
Event Submitted/Written: 02/21/2008 06:44:49 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type160 / Warning
Event Submitted/Written: 02/09/2008 11:37:06 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type153 / Warning
Event Submitted/Written: 01/27/2008 10:53:04 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8038 / Error
Event Submitted/Written: 02/24/2008 10:39:34 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type8025 / Error
Event Submitted/Written: 02/24/2008 10:36:05 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
smtpdrv

Event Record #/Type8023 / Error
Event Submitted/Written: 02/24/2008 10:34:20 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.100 for the Network Card with network address 001A924EC024 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type8018 / Error
Event Submitted/Written: 02/23/2008 10:47:44 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type8005 / Error
Event Submitted/Written: 02/23/2008 10:44:18 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
smtpdrv



-- End of Deckard's System Scanner: finished at 2008-02-24 11:26:36 ------------

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 February 2008 - 01:57 PM

Looks like there are several rootkits in there,gonna need another tool to get this outa there.

Go ahead and get rid of DSS,the folder containing everything should be on the C:\ folder.

We will use its big brother to do the rest of the cleaning,Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Edited by Cretemonster, 24 February 2008 - 01:57 PM.


#7 Rubiks

Rubiks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 25 February 2008 - 08:08 AM

ComboFix log:
ComboFix 08-02-25.2 - renno 2008-02-25 14:59:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1723 [GMT 2:00]
Running from: I:\Downloadsfromnet\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\system32\restore
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\system32\npp
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\srchasst
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\msagent
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-02-23 19:00 . 2008-02-23 19:00 <DIR> d-------- C:\Documents and Settings\renno\Application Data\Malwarebytes
2008-02-23 19:00 . 2008-02-23 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 18:43 . 2008-02-21 18:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 14:15 . 2008-01-29 14:15 250 --a------ C:\WINDOWS\gmer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 13:00 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-02-17 16:01 --------- d-----w C:\Documents and Settings\renno\Application Data\OpenOffice.org2
2008-01-24 14:04 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-24 14:04 22,328 ----a-w C:\Documents and Settings\renno\Application Data\PnkBstrK.sys
2008-01-24 14:03 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-01-24 14:03 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-01-24 14:03 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-21 12:15 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-01-21 12:15 --------- d-----w C:\Documents and Settings\renno\Application Data\SystemRequirementsLab
2008-01-14 18:23 --------- d-----w C:\Documents and Settings\renno\Application Data\dvdcss
2008-01-13 11:15 --------- d-----w C:\Documents and Settings\renno\Application Data\teamspeak2
2008-01-11 19:58 --------- d-----w C:\Documents and Settings\renno\Application Data\vlc
2008-01-08 13:11 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-07 13:44 --------- d-----w C:\Program Files\Java
2008-01-07 13:43 --------- d-----w C:\Program Files\Common Files\Java
2008-01-02 20:26 --------- d-----w C:\Documents and Settings\renno\Application Data\U3
2007-12-27 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-24 16:16 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll
2007-12-12 17:31 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-30 16:42 16,858,624 ----a-w C:\WINDOWS\RTHDCPL.exe
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

------- Sigcheck -------

80082776f5f39852ee40c521806e1135 C:\WINDOWS\system32\drivers\tcpip.sys
----a-w 359,040 2006-12-28 17:36:38 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-19 18:42 8523776]
"nwiz"="nwiz.exe" [2007-11-19 18:42 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-19 18:42 81920]
"BDMCon"="E:\Bit\bdmcon.exe" [2007-12-24 18:15 290816]
"BDAgent"="E:\Bit\bdagent.exe" [2007-12-24 18:15 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-03 23:56 99840 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-11-30 18:42 16858624 C:\WINDOWS\RTHDCPL.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

S0 Prg30;Prg30;C:\WINDOWS\system32\Drivers\Prg30.sys []
S0 Rpl32;Rpl32;C:\WINDOWS\system32\Drivers\Rpl32.sys []
S0 Rpv72;Rpv72;C:\WINDOWS\system32\Drivers\Rpv72.sys []
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;E:\TEMP\TCCpuInfo.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 15:00:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\Bit\vsserv.exe
.
**************************************************************************
.
Completion time: 2008-02-25 15:01:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 13:01:06
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:06:01, on 25.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Bit\bdmcon.exe
E:\Bit\bdagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\Bit\vsserv.exe
C:\WINDOWS\system32\notepad.exe
E:\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] "E:\Bit\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "E:\Bit\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - E:\Bit\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 3101 bytes

Edited by Rubiks, 25 February 2008 - 08:10 AM.


#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 February 2008 - 07:42 AM

Copy the text below to notepad and save it to the desktop with the name CFScript

Driver::
Prg30
Rpl32
Rpv72
File::
C:\WINDOWS\system32\Drivers\Prg30.sys
C:\WINDOWS\system32\Drivers\Rpl32.sys
C:\WINDOWS\system32\Drivers\Rpv72.sys

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log

#9 Rubiks

Rubiks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 27 February 2008 - 08:26 AM

ComboFix 08-02-25.2 - renno 2008-02-27 15:22:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1754 [GMT 2:00]
Running from: I:\Downloadsfromnet\ComboFix.exe
Command switches used :: I:\Downloadsfromnet\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\Drivers\Prg30.sys
C:\WINDOWS\system32\Drivers\Rpl32.sys
C:\WINDOWS\system32\Drivers\Rpv72.sys
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\system32\restore
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\system32\npp
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\srchasst
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\WINDOWS\msagent
2008-02-25 15:00 . 2008-02-25 15:00 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-02-23 19:00 . 2008-02-23 19:00 <DIR> d-------- C:\Documents and Settings\renno\Application Data\Malwarebytes
2008-02-23 19:00 . 2008-02-23 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 18:43 . 2008-02-21 18:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 14:15 . 2008-01-29 14:15 250 --a------ C:\WINDOWS\gmer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 13:23 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-02-25 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-17 16:01 --------- d-----w C:\Documents and Settings\renno\Application Data\OpenOffice.org2
2008-01-24 14:04 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-24 14:04 22,328 ----a-w C:\Documents and Settings\renno\Application Data\PnkBstrK.sys
2008-01-24 14:03 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-01-24 14:03 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-01-24 14:03 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-21 12:15 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-01-21 12:15 --------- d-----w C:\Documents and Settings\renno\Application Data\SystemRequirementsLab
2008-01-14 18:23 --------- d-----w C:\Documents and Settings\renno\Application Data\dvdcss
2008-01-13 11:15 --------- d-----w C:\Documents and Settings\renno\Application Data\teamspeak2
2008-01-11 19:58 --------- d-----w C:\Documents and Settings\renno\Application Data\vlc
2008-01-08 13:11 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-07 13:44 --------- d-----w C:\Program Files\Java
2008-01-07 13:43 --------- d-----w C:\Program Files\Common Files\Java
2008-01-02 20:26 --------- d-----w C:\Documents and Settings\renno\Application Data\U3
2007-12-24 16:16 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll
2007-12-12 17:31 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-30 16:42 16,858,624 ----a-w C:\WINDOWS\RTHDCPL.exe
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

------- Sigcheck -------

80082776f5f39852ee40c521806e1135 C:\WINDOWS\system32\drivers\tcpip.sys
----a-w 359,040 2006-12-28 17:36:38 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-19 18:42 8523776]
"nwiz"="nwiz.exe" [2007-11-19 18:42 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-19 18:42 81920]
"BDMCon"="E:\Bit\bdmcon.exe" [2007-12-24 18:15 290816]
"BDAgent"="E:\Bit\bdagent.exe" [2007-12-24 18:15 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-03 23:56 99840 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-11-30 18:42 16858624 C:\WINDOWS\RTHDCPL.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"F:\\Program Files\\Quake 3\\quake3.exe"=
"F:\\Program Files\\CQ3\\quake3.exe"=
"F:\\Program Files\\Steam\\steamapps\\qlar\\source sdk base\\hl2.exe"=

S3 TCCrystalCpuInfo;TCCrystalCpuInfo;E:\TEMP\TCCpuInfo.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 15:24:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\Bit\vsserv.exe
.
**************************************************************************
.
Completion time: 2008-02-27 15:24:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-27 13:24:24
ComboFix2.txt 2008-02-25 13:01:09

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 March 2008 - 04:04 AM

How is the PC acting these days?

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#11 Rubiks

Rubiks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 01 March 2008 - 10:52 AM

I can't see any real change in speed. There has been some minor anomaly's a few times, every time different.
F-Secure log:
Scanning Report
Saturday, March 01, 2008 17:21:59 - 17:33:35

Computer name: RENNOPC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\ F:\ G:\ I:\ J:\
Result: 1 malware found
W32/Smalltroj.CNYX (virus)

* C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE (Submitted)

Statistics
Scanned:

* Files: 14734
* System: 2110
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 1

Files not scanned:

* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* D:\PAGEFILE.SYS

Options
Scanning engines:

* F-Secure USS: 2.20.0
* F-Secure Blacklight: 1.0.64
* F-Secure Hydra: 2.6.7470, 2008-03-01
* F-Secure Pegasus: 1.20.0, 2008-01-26
* F-Secure AVP: 7.0.171, 2008-03-01

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright 1998-2007 Product support |Send virus sample to F-Secure

Notice: When it was cleaning it showed a text on the status bar"page error" and I thought it stopped and clicked cancel. I then redid the hole thing. It found before one spyware and deleted it. So this is log 2 really.

#12 Rubiks

Rubiks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 07 March 2008 - 08:10 AM

Is it fixed now? Bit-Defender hasn't found any new viruses. Did the F-Secure delete that last virus? (there one Action and thats none) And the rootkits are gone? :thumbsup: If they are I thank you very much for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users