Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found Trojans And Lost Internet Explorer


  • Please log in to reply
18 replies to this topic

#1 niraknirak

niraknirak

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 22 February 2008 - 12:18 PM

A couple of days ago F-secure prompted me that "IE wishes to change..." or something like that. I thought it was an update and allowed it. it wasn´t!

Now I cannot open IE and I cannot reset it via Internet Options as these have disappeared from the control panel. IE cannot be reached via run either.

F-secure found nothing and I cannot scan via any other browser so I downloaded kapersky , unpluggged my internet connection, installed and scanned again,. it found these trojans - win 32.VBbdb and SpyWin 32.Delf.wh wha are now removed(I hope).

I tried to repair Vista and get IE back but nothing happended.
I ran AdAware and found only tracking cookies - easily removed
and Spybot and found two entries for RegistryFix and two for Zlob downloder vcd. These cannot be removed.

hiJack This shows the following :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:54:57, on 2008-02-22
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Opera\Opera.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - D:\Program Files\eSnips\SnipBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Gainward] C:\Windows\TBPanel.exe /A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [eSnips] "D:\Program Files\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Snip to my eSnips account - D:\Program Files\eSnips\res\SnipIt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5F8F150-E4DB-47B6-BBE8-ADBB929CE4D7}: NameServer = 81.88.9.218
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASDR - Unknown owner - C:\Windows\System32\ASDR.exe
O23 - Service: ATK Fast User Switch Service (ATKFUSService) - ASUSTeK COMPUTER INC. - C:\Windows\system32\ATKFUSService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - F:\Program\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 8289 bytes

I have also seen a small black window pop up at the bottom of the screen a couple of times. i really hope that I can get help to get rid of this and get back my IE. If it comes to the worst I guess I will have to format my c-drive and reinstall windows but I would really be reatful if anyone could help me.
Oh, And my DVD-burner has disappeared from My Computer. I can find it in teh boot manager, but thats all. Lucklily I have a DVD player as well.

Edited by niraknirak, 22 February 2008 - 12:35 PM.


BC AdBot (Login to Remove)

 


m

#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:09 AM

Posted 10 March 2008 - 12:40 AM

Hello niraknirak and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 niraknirak

niraknirak
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 12 March 2008 - 12:52 PM

Hello!
The first thing I noticed was that Internet Explorer refused to start. I cannot open it in any way. I´ve tryed to reinstall it but as I run Vista that is not an option. I have removed two trojans from the system, but that hasn´+t helped.
I also cannot find Internet Options any longer in the Control Panel.

I tried to repair Windows fron the DVD, but it does not find any problems. And also - my first DVD-RW device has mysteriously disappeared! It still has power, I can open and close it, it shows in BIOS, but Windows will not find it.

I do hope that I can get away without formatting and reinstalling Windows.

I have been through the Guide - part from the bits of scanning via the net. Even with Mozilla something sems to hang - the program (House Call) fails to update or find a message " The house call API did not define a native binding"
I scanned with Kaspersky Antivirus and it did not find anything apart from a couple of password protected archives.

Stinger reports no problem.

Also - when there is some message to my Messenger ie there is a mail to my mailbox I see a black window popping up at the bottom of the screen. Messenger works OK, but I cannot reach my mail that way.

The HiJack log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:47:22, on 2008-03-12
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - D:\Program Files\eSnips\SnipBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Gainward] C:\Windows\TBPanel.exe /A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [eSnips] "D:\Program Files\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Snip to my eSnips account - D:\Program Files\eSnips\res\SnipIt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5F8F150-E4DB-47B6-BBE8-ADBB929CE4D7}: NameServer = 81.88.9.218
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASDR - Unknown owner - C:\Windows\System32\ASDR.exe
O23 - Service: ATK Fast User Switch Service (ATKFUSService) - ASUSTeK COMPUTER INC. - C:\Windows\system32\ATKFUSService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - F:\Program\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 8372 bytes


Bye the way - thanks for taking your time! I hope you can help me.

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:09 AM

Posted 12 March 2008 - 02:45 PM

Hey niraknirak,

I have removed two trojans from the system, but that hasn´+t helped.

Can you actually name the trojans that you have removed?

The following is referring to Uniblue RegistryBooster 2.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

Step #1

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • When you have completed the ComboFix instructions, copy and paste the contents of C:\ComboFix.txt in your next reply.
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Step #2

Please post back with a fresh HijackThis log and the ComboFix log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 niraknirak

niraknirak
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 12 March 2008 - 03:29 PM

ComboFix 08-02-23.2 - Karin 2008-02-23 15:14:50.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1053.18.1131 [GMT 1:00]
Running from: C:\Users\Karin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Karin\AppData\Roaming\macromedia\Flash Player\#SharedObjects\9TY2MV52\www.broadcaster.com
C:\Users\Karin\AppData\Roaming\macromedia\Flash Player\#SharedObjects\9TY2MV52\www.broadcaster.com\played_list.sol
C:\Users\Karin\AppData\Roaming\macromedia\Flash Player\#SharedObjects\9TY2MV52\www.broadcaster.com\video_queue.sol
C:\Users\Karin\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Users\Karin\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-22 23:11 . 2008-02-22 23:11 126 --a------ C:\Windows\wininit.ini
2008-02-21 21:30 . 2008-02-21 23:59 <KAT> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-21 21:30 . 2008-02-21 23:59 <KAT> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-21 21:30 . 2008-02-21 21:30 <KAT> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 21:16 . 2008-02-21 21:16 <KAT> d-------- C:\Program Files\Microsoft Silverlight
2008-02-21 20:22 . 2008-02-21 20:22 <KAT> d-------- C:\Program Files\Trend Micro
2008-02-20 17:14 . 2008-02-20 17:21 91,700 --a------ C:\Windows\System32\drivers\klin.dat
2008-02-20 17:14 . 2008-02-20 17:14 85,860 --a------ C:\Windows\System32\drivers\klick.dat
2008-02-20 17:12 . 2008-02-23 14:54 <KAT> d-------- C:\Users\All Users\Kaspersky Lab
2008-02-20 17:12 . 2008-02-23 14:54 <KAT> d-------- C:\ProgramData\Kaspersky Lab
2008-02-20 17:12 . 2008-02-20 17:12 <KAT> d-------- C:\Program Files\Kaspersky Lab
2008-02-20 17:12 . 2008-02-23 11:36 53,123,872 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-02-20 17:12 . 2008-02-23 11:36 665,468 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-02-20 17:11 . 2008-02-20 17:11 <KAT> d-------- C:\kav
2008-02-19 08:20 . 2008-02-19 08:20 54,156 --ah----- C:\Windows\QTFont.qfn
2008-02-19 08:20 . 2008-02-19 08:20 1,409 --a------ C:\Windows\QTFont.for
2008-02-17 22:08 . 2008-02-17 22:08 <KAT> d-------- C:\Program Files\Lavasoft
2008-02-16 11:26 . 2008-01-10 06:50 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-13 17:18 . 2008-02-13 17:18 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 17:18 . 2008-02-13 17:18 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 17:13 . 2008-02-13 17:13 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-13 17:13 . 2008-02-13 17:13 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-13 17:13 . 2008-02-13 17:13 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-13 17:13 . 2008-02-13 17:13 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-13 17:13 . 2008-02-13 17:13 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-13 17:13 . 2008-02-13 17:13 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-13 17:13 . 2008-02-13 17:13 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-02-13 17:12 . 2008-02-13 17:12 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 17:12 . 2008-02-13 17:12 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-13 17:12 . 2008-02-13 17:12 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 17:12 . 2008-02-13 17:12 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 17:12 . 2008-02-13 17:12 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 17:12 . 2008-02-13 17:12 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 17:12 . 2008-02-13 17:12 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-13 17:03 . 2008-02-13 17:03 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-02-10 21:19 . 2007-07-05 10:33 48,768 --a------ C:\Windows\System32\drivers\jraid.sys
2008-02-10 21:14 . 2008-01-25 16:46 106,496 --a------ C:\Windows\System32\drivers\Rtlh86.sys
2008-02-10 21:12 . 2008-02-10 21:12 <KAT> d-------- C:\Program Files\Microsoft IntelliPoint
2008-02-01 00:00 . 2008-02-20 05:35 385 --a------ C:\error.htm
2008-02-01 00:00 . 2008-02-20 00:00 0 --a------ C:\infect.htm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 16:06 --------- d-----w C:\Program Files\F-Secure Internet Security
2008-02-20 16:03 --------- d-----w C:\ProgramData\F-Secure
2008-02-20 15:52 --------- d-----w C:\Users\Karin\AppData\Roaming\uTorrent
2008-02-17 21:09 --------- d-----w C:\ProgramData\Lavasoft
2008-02-17 21:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 16:13 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-13 16:12 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 16:12 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 16:12 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 16:12 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 16:02 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 16:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 16:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 16:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-12 22:15 --------- d-----w C:\Program Files\Opera
2008-02-12 17:37 --------- d-----w C:\ProgramData\NVIDIA
2008-02-08 04:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-13 21:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 22:51 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-10 22:51 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 21:34 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-10 21:34 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-10 21:33 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-12-17 23:44 219,664 ----a-w C:\Windows\System32\klogon.dll
2007-12-14 10:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2007-12-12 16:04 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 16:04 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 16:04 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-11 17:52 356,352 ----a-w C:\Windows\System32\nvuninst.exe
2007-08-30 14:25 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 22:33 1232896]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-12 02:01 1006264]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"JMB36X IDE Setup"="C:\Windows\RaidTool\xInsIDE.exe" [2007-03-20 13:36 36864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34 868352]
"ClientGW"="" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"Gainward"="C:\Windows\TBPanel.exe" [2007-03-23 09:32 2173744]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"eSnips"="D:\Program Files\eSnips\ClientGW.exe" [2007-09-16 12:04 720896]
"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-05-23 11:23 380928]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BF1CC96C-0554-42B5-B49B-583885904C9B}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)|Edge=TRUE|
"TCP Query User{2FA52F40-18C6-42DE-98C9-007977A25D3F}F:\program\utorrent.exe"= UDP:F:\program\utorrent.exe:utorrent|Desc=utorrent
"UDP Query User{19856BEB-420A-48A1-874C-7CA62DACA5A8}F:\program\utorrent.exe"= TCP:F:\program\utorrent.exe:utorrent|Desc=utorrent
"TCP Query User{13041FFB-C315-4FF1-8186-DC6DBA4EA858}E:\alfa\torrenter\utorrent.exe"= UDP:E:\alfa\torrenter\utorrent.exe:utorrent|Desc=utorrent
"UDP Query User{A42F802B-856A-4036-89ED-1FE64003843E}E:\alfa\torrenter\utorrent.exe"= TCP:E:\alfa\torrenter\utorrent.exe:utorrent|Desc=utorrent
"TCP Query User{CB94F7E1-7416-417C-90F2-E3C2310858A3}H:\program\dc++\dcplusplus.exe"= UDP:H:\program\dc++\dcplusplus.exe:DC++|Desc=DC++
"UDP Query User{951C22E3-E9F3-4FBF-8C04-F6907736A904}H:\program\dc++\dcplusplus.exe"= TCP:H:\program\dc++\dcplusplus.exe:DC++|Desc=DC++
"{AFE267D8-DFD0-42BD-9906-29994A0A9225}"= TCP:67:DHCP Discovery Service
"{5A07C521-38D5-478E-A106-4623B38FD94F}"= TCP:67:DHCP Discovery Service
"{2C0A12C8-52D1-4D5C-B30A-5E80BA153619}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{BCCCF145-BA70-416C-9FF5-68E3CAA39316}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9615CCC4-78BB-4883-8B7B-8BEFACD36267}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{6897F961-BD3F-48E5-B446-3EAA4ED4F77A}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6589B385-9B80-4593-8FFB-B88F6781ADCF}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1F483068-1E25-403E-A3A5-1500EE22C073}"= UDP:C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{7D4050D0-7498-44CA-88F0-95264840C161}"= TCP:C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{8B649CF2-660B-428B-9557-A724C980BB43}"= UDP:C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
"{5F8B8096-1B29-4E60-9801-0C40889F2838}"= TCP:C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
"TCP Query User{6564CE08-4BF8-4C12-96A7-09C0072A3FB3}C:\users\karin\desktop\utorrent.exe"= UDP:C:\users\karin\desktop\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"UDP Query User{48F40CBD-8A6C-4AF9-8207-1F30059FCC9A}C:\users\karin\desktop\utorrent.exe"= TCP:C:\users\karin\desktop\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"TCP Query User{4DBD5268-6159-4627-8808-953CE1B54CBB}D:\program files\dc++\dcplusplus.exe"= UDP:D:\program files\dc++\dcplusplus.exe:DC++|Desc=DC++
"UDP Query User{F8487598-7A9F-47EC-9DA3-06758A665FDE}D:\program files\dc++\dcplusplus.exe"= TCP:D:\program files\dc++\dcplusplus.exe:DC++|Desc=DC++
"TCP Query User{F68C2FD5-8F1A-4C19-8FB0-53D0581F781C}D:\kav\kav7.0\english\setup.exe"= UDP:D:\kav\kav7.0\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup|Desc=Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{CD42146A-89B4-44C3-871B-4185E6C7D9DD}D:\kav\kav7.0\english\setup.exe"= TCP:D:\kav\kav7.0\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup|Desc=Kaspersky Anti-Virus 7.0 Setup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 Pnp680;SiI 680 ATA Controller;C:\Windows\system32\DRIVERS\pnp680.sys [2007-06-28 16:01]
R0 Pnp680r;Silicon Image SiI 0680 Medley Raid Controller;C:\Windows\system32\DRIVERS\pnp680r.sys [2007-07-19 23:44]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-10-16 11:05]
R2 ASDR;ASDR;C:\Windows\System32\ASDR.exe [2007-03-20 16:16]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\Windows\system32\drivers\asusgsb.sys [2007-05-23 11:23]
R3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\Windows\system32\DRIVERS\AsusVRC.sys [2007-01-29 16:12]
R3 atkdisplf;ASUS Kernel Mode Enhanced Driver;C:\Windows\system32\drivers\ATKDispLowFilter.sys [2007-05-23 11:23]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-01-25 16:46]
S2 ATKFUSService;ATK Fast User Switch Service;C:\Windows\system32\ATKFUSService.exe [2007-05-23 11:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cda5c775-c680-11db-9c2f-806e6f6e6963}]
\shell\AutoRun\command - I:\ASUSACPI.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 20:07:30 C:\Windows\Tasks\User_Feed_Synchronization-{B1246932-49D6-42FC-8B5E-230A4A1B45B1}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 15:17:15
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 15:26:53
ComboFix-quarantined-files.txt 2008-02-23 14:26:47
.
2008-02-19 21:44:04 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:27, on 2008-03-12
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - D:\Program Files\eSnips\SnipBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Gainward] C:\Windows\TBPanel.exe /A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [eSnips] "D:\Program Files\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Snip to my eSnips account - D:\Program Files\eSnips\res\SnipIt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5F8F150-E4DB-47B6-BBE8-ADBB929CE4D7}: NameServer = 81.88.9.218
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASDR - Unknown owner - C:\Windows\System32\ASDR.exe
O23 - Service: ATK Fast User Switch Service (ATKFUSService) - ASUSTeK COMPUTER INC. - C:\Windows\system32\ATKFUSService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - F:\Program\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 8255 bytes


Here it comes. I removed Uniblue. never used it for fixing - just scanned.

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:09 AM

Posted 13 March 2008 - 01:42 PM

Hey niraknirak,

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\error.htm
    C:\infect.htm
    
    Suspect::[42]
    C:\Windows\System32\ASDR.exe
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ClientGW"=-
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #2

Please download Malwarebytes' Anti-Malware from Here
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step #3

Please post back with the ComboFix log and the Malwarebytes' Antimalware log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 niraknirak

niraknirak
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 13 March 2008 - 02:56 PM

Malwarebytes was easy to download but after installing it I get the message " Error code 707 (0)" and it refuses to run. It works fine on my second computer.

"Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file via the html page that should popup after running ComboFix.

Please include a link to this topic in the message."

I get the zip file but not the html page. When I unzip the zip file I find this text file:

"file copied: C:\Windows\System32\ASDR.exe -> C:\Windows\System32\ASDR.exe.vir ( 61440 bytes )
file zipped: C:\Windows\System32\ASDR.exe.vir -> catchme.zip -> ASDR.exe.vir ( 61440 bytes )
PE file "C:\Windows\System32\ASDR.exe.vir" killed successfully "

I rescanned and got this file:
ComboFix 08-03-10.1 - Karin 2008-03-13 20:18:13.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1053.18.1282 [GMT 1:00]
Running from: C:\Users\Karin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\error.htm
C:\infect.htm

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 11:41 . 2007-12-16 23:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-03-12 11:41 . 2007-12-16 10:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-02-24 11:56 . 2008-03-12 17:53 <KAT> d-------- C:\Users\Karin\.housecall6.6
2008-02-24 11:43 . 2008-03-13 20:16 <KAT> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-24 11:42 . 2008-02-24 11:42 <KAT> d-------- C:\Users\Karin\AppData\Roaming\Download Manager
2008-02-22 23:11 . 2008-02-22 23:11 126 --a------ C:\Windows\wininit.ini
2008-02-21 21:30 . 2008-02-21 23:59 <KAT> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-21 21:30 . 2008-02-21 23:59 <KAT> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-21 21:30 . 2008-02-21 21:30 <KAT> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 21:16 . 2008-02-21 21:16 <KAT> d-------- C:\Program Files\Microsoft Silverlight
2008-02-21 20:22 . 2008-02-21 20:22 <KAT> d-------- C:\Program Files\Trend Micro
2008-02-20 17:14 . 2008-02-20 17:21 91,700 --a------ C:\Windows\System32\drivers\klin.dat
2008-02-20 17:14 . 2008-02-20 17:14 85,860 --a------ C:\Windows\System32\drivers\klick.dat
2008-02-20 17:12 . 2008-03-13 20:06 <KAT> d-------- C:\Users\All Users\Kaspersky Lab
2008-02-20 17:12 . 2008-03-13 20:06 <KAT> d-------- C:\ProgramData\Kaspersky Lab
2008-02-20 17:12 . 2008-02-20 17:12 <KAT> d-------- C:\Program Files\Kaspersky Lab
2008-02-20 17:12 . 2008-03-13 20:04 75,634,976 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-02-20 17:12 . 2008-03-13 20:04 896,300 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-02-20 17:11 . 2008-02-20 17:11 <KAT> d-------- C:\kav
2008-02-19 08:20 . 2008-02-19 08:20 54,156 --ah----- C:\Windows\QTFont.qfn
2008-02-19 08:20 . 2008-02-19 08:20 1,409 --a------ C:\Windows\QTFont.for
2008-02-17 22:08 . 2008-02-17 22:08 <KAT> d-------- C:\Program Files\Lavasoft
2008-02-16 11:26 . 2008-01-10 06:50 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-13 17:18 . 2008-02-13 17:18 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 17:18 . 2008-02-13 17:18 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 17:13 . 2008-02-13 17:13 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-13 17:13 . 2008-02-13 17:13 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-13 17:13 . 2008-02-13 17:13 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-13 17:13 . 2008-02-13 17:13 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-13 17:13 . 2008-02-13 17:13 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-13 17:13 . 2008-02-13 17:13 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-13 17:13 . 2008-02-13 17:13 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-02-13 17:12 . 2008-02-13 17:12 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 17:12 . 2008-02-13 17:12 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-13 17:12 . 2008-02-13 17:12 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 17:12 . 2008-02-13 17:12 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 17:12 . 2008-02-13 17:12 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 17:12 . 2008-02-13 17:12 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 17:12 . 2008-02-13 17:12 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-13 17:03 . 2008-02-13 17:03 1,383,424 --a------ C:\Windows\System32\mshtml.tlb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 20:03 --------- d-----w C:\Users\Karin\AppData\Roaming\uTorrent
2008-03-12 16:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-12 16:06 --------- d-----w C:\Program Files\Windows Mail
2008-03-09 20:02 --------- d-----w C:\Program Files\Java
2008-02-20 16:06 --------- d-----w C:\Program Files\F-Secure Internet Security
2008-02-20 16:03 --------- d-----w C:\ProgramData\F-Secure
2008-02-17 21:09 --------- d-----w C:\ProgramData\Lavasoft
2008-02-17 21:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 16:12 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 16:12 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 16:12 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 16:12 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 16:02 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 16:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 16:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 16:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-12 22:15 --------- d-----w C:\Program Files\Opera
2008-02-12 17:37 --------- d-----w C:\ProgramData\NVIDIA
2008-02-10 20:12 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-08 04:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-25 15:46 106,496 ----a-w C:\Windows\system32\drivers\Rtlh86.sys
2008-01-13 21:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 21:33 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-12-17 23:44 219,664 ----a-w C:\Windows\System32\klogon.dll
2007-12-14 10:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2007-08-30 14:25 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 22:33 1232896]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Uniblue RegistryBooster 2"="c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-12 02:01 1006264]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"JMB36X IDE Setup"="C:\Windows\RaidTool\xInsIDE.exe" [2007-03-20 13:36 36864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34 868352]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"Gainward"="C:\Windows\TBPanel.exe" [2007-03-23 09:32 2173744]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"eSnips"="D:\Program Files\eSnips\ClientGW.exe" [2007-09-16 12:04 720896]
"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-05-23 11:23 380928]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BF1CC96C-0554-42B5-B49B-583885904C9B}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)|Edge=TRUE|
"TCP Query User{2FA52F40-18C6-42DE-98C9-007977A25D3F}F:\program\utorrent.exe"= UDP:F:\program\utorrent.exe:utorrent|Desc=utorrent
"UDP Query User{19856BEB-420A-48A1-874C-7CA62DACA5A8}F:\program\utorrent.exe"= TCP:F:\program\utorrent.exe:utorrent|Desc=utorrent
"TCP Query User{13041FFB-C315-4FF1-8186-DC6DBA4EA858}E:\alfa\torrenter\utorrent.exe"= UDP:E:\alfa\torrenter\utorrent.exe:utorrent|Desc=utorrent
"UDP Query User{A42F802B-856A-4036-89ED-1FE64003843E}E:\alfa\torrenter\utorrent.exe"= TCP:E:\alfa\torrenter\utorrent.exe:utorrent|Desc=utorrent
"TCP Query User{CB94F7E1-7416-417C-90F2-E3C2310858A3}H:\program\dc++\dcplusplus.exe"= UDP:H:\program\dc++\dcplusplus.exe:DC++|Desc=DC++
"UDP Query User{951C22E3-E9F3-4FBF-8C04-F6907736A904}H:\program\dc++\dcplusplus.exe"= TCP:H:\program\dc++\dcplusplus.exe:DC++|Desc=DC++
"{AFE267D8-DFD0-42BD-9906-29994A0A9225}"= TCP:67:DHCP Discovery Service
"{5A07C521-38D5-478E-A106-4623B38FD94F}"= TCP:67:DHCP Discovery Service
"{2C0A12C8-52D1-4D5C-B30A-5E80BA153619}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{BCCCF145-BA70-416C-9FF5-68E3CAA39316}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9615CCC4-78BB-4883-8B7B-8BEFACD36267}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{6897F961-BD3F-48E5-B446-3EAA4ED4F77A}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6589B385-9B80-4593-8FFB-B88F6781ADCF}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1F483068-1E25-403E-A3A5-1500EE22C073}"= UDP:C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{7D4050D0-7498-44CA-88F0-95264840C161}"= TCP:C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{8B649CF2-660B-428B-9557-A724C980BB43}"= UDP:C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
"{5F8B8096-1B29-4E60-9801-0C40889F2838}"= TCP:C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
"TCP Query User{6564CE08-4BF8-4C12-96A7-09C0072A3FB3}C:\users\karin\desktop\utorrent.exe"= UDP:C:\users\karin\desktop\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"UDP Query User{48F40CBD-8A6C-4AF9-8207-1F30059FCC9A}C:\users\karin\desktop\utorrent.exe"= TCP:C:\users\karin\desktop\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"TCP Query User{4DBD5268-6159-4627-8808-953CE1B54CBB}D:\program files\dc++\dcplusplus.exe"= UDP:D:\program files\dc++\dcplusplus.exe:DC++|Desc=DC++
"UDP Query User{F8487598-7A9F-47EC-9DA3-06758A665FDE}D:\program files\dc++\dcplusplus.exe"= TCP:D:\program files\dc++\dcplusplus.exe:DC++|Desc=DC++
"TCP Query User{F68C2FD5-8F1A-4C19-8FB0-53D0581F781C}D:\kav\kav7.0\english\setup.exe"= UDP:D:\kav\kav7.0\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup|Desc=Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{CD42146A-89B4-44C3-871B-4185E6C7D9DD}D:\kav\kav7.0\english\setup.exe"= TCP:D:\kav\kav7.0\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup|Desc=Kaspersky Anti-Virus 7.0 Setup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 Pnp680;SiI 680 ATA Controller;C:\Windows\system32\DRIVERS\pnp680.sys [2007-06-28 16:01]
R0 Pnp680r;Silicon Image SiI 0680 Medley Raid Controller;C:\Windows\system32\DRIVERS\pnp680r.sys [2007-07-19 23:44]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-10-16 11:05]
R2 ASDR;ASDR;C:\Windows\System32\ASDR.exe [2007-03-20 16:16]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\Windows\system32\drivers\asusgsb.sys [2007-05-23 11:23]
R3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\Windows\system32\DRIVERS\AsusVRC.sys [2007-01-29 16:12]
R3 atkdisplf;ASUS Kernel Mode Enhanced Driver;C:\Windows\system32\drivers\ATKDispLowFilter.sys [2007-05-23 11:23]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-01-25 16:46]
S2 ATKFUSService;ATK Fast User Switch Service;C:\Windows\system32\ATKFUSService.exe [2007-05-23 11:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cda5c775-c680-11db-9c2f-806e6f6e6963}]
\shell\AutoRun\command - I:\ASUSACPI.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 21:28:33 C:\Windows\Tasks\User_Feed_Synchronization-{B1246932-49D6-42FC-8B5E-230A4A1B45B1}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 20:19:57
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-13 20:29:32
ComboFix-quarantined-files.txt 2008-03-13 19:29:26
ComboFix2.txt 2008-02-23 14:26:54
.
2008-03-13 18:52:18 --- E O F ---




What´s next?
niraknirak

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:09 AM

Posted 14 March 2008 - 12:39 PM

Hey niraknirak,

I get the zip file but not the html page. When I unzip the zip file I find this text file:

Please delete all unzipped item. and do the following:

Step #1

Please go to the Malware Upload Channel and upload the following file by reproducing the below steps:
  • Please enter the link to the topic in the text box next to: Link to topic where this file was requested:
  • Then click "Browse" on the line below and navigate to the following file:

    Submit [Date Time].zip (the file path should now appear in the text box next to the browse button; located the previously zipped file)

  • In the comment section, please make a note that I asked you to upload the file here: Yourhighness
Please let me know when the submission has finished. Thanks.

Step #2

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Malwarebytes' Antimalware

Step #3
  • Open notepad and copy/paste the text in the codebox below into it:

    Folder::
    C:\Program Files\Malwarebytes' Anti-Malware
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Uniblue RegistryBooster 2"=-
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #4

Have Malwarebytes' Antimalware installed again and let me know if it works now.

Step #5

Once you have done this please create an uninstall list:
  • Start HiJackThis
  • Press 'Config'
  • Press 'Misc Tools'
  • Press 'Open Uninstall Manager'
  • Press 'Save List'
  • Save the log to a convenient location
Step #6

Please post back with the ComboFix log, the Malwarebytes' Antimalware log and the Uninstall list. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 niraknirak

niraknirak
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 14 March 2008 - 04:19 PM

file uploaded as asked for

#10 niraknirak

niraknirak
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 14 March 2008 - 04:41 PM

I get the same error message after installing Malwarebytes' Antimalware - error code 707(0).
Uninstalll list:
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Apple Software Update
ASUS Smart Doctor
ASUS VideoSecurity Online
ASUSUpdate
Center för Windows Mobile-enheter
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
DC++ 0.699
DivX Codec
DivX Player
eSnips
Eudora
EXPERTool
Google Earth
HijackThis 2.0.2
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
JMB36X Raid Configurer
Kaspersky Anti-Virus 7.0
Kaspersky Anti-Virus 7.0
LucasArts' Curse of Monkey Island
LucasArts' Monkey 4
Microsoft Office Access MUI (Swedish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Swedish) 2007
Microsoft Office Groove MUI (Swedish) 2007
Microsoft Office InfoPath MUI (Swedish) 2007
Microsoft Office OneNote MUI (Swedish) 2007
Microsoft Office Outlook MUI (Swedish) 2007
Microsoft Office PowerPoint MUI (Swedish) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (Finnish) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Swedish) 2007
Microsoft Office Proofing (Swedish) 2007
Microsoft Office Publisher MUI (Swedish) 2007
Microsoft Office Shared MUI (Swedish) 2007
Microsoft Office Word MUI (Swedish) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
muvee autoProducer 3.5 magicMoments
muvee autoProducer 5.0
MySQL Connector/ODBC 3.51
neroxml
NVIDIA Drivers
Opera 9.25
PC Probe II
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
ScummVM 0.10.0
SeaTools for Windows
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
SoundMAX
Spybot - Search & Destroy
System Requirements Lab
THE SETTLERS - Heritage of Kings
The Settlers II - 10th Anniversary
Update for Outlook 2007 Junk Email Filter (kb947945)
Uppdatering av drivrutin för Center för Windows Mobile-enheter
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Resource Kit Tools
WinRAR archiver
XviD MPEG-4 Video Codec
ZEN V Series Media Explorer
ZENcast Organizer

Combofix:
ComboFix 08-03-10.1 - Karin 2008-03-14 22:23:05.5 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1053.18.1084 [GMT 1:00]
Running from: C:\Users\Karin\Desktop\ComboFix.exe
Command switches used :: C:\Users\Karin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-12 11:41 . 2007-12-16 23:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-03-12 11:41 . 2007-12-16 10:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-02-24 11:56 . 2008-03-12 17:53 <KAT> d-------- C:\Users\Karin\.housecall6.6
2008-02-24 11:42 . 2008-02-24 11:42 <KAT> d-------- C:\Users\Karin\AppData\Roaming\Download Manager
2008-02-22 23:11 . 2008-02-22 23:11 126 --a------ C:\Windows\wininit.ini
2008-02-21 21:30 . 2008-02-21 23:59 <KAT> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-21 21:30 . 2008-02-21 23:59 <KAT> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-21 21:30 . 2008-02-21 21:30 <KAT> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 21:16 . 2008-02-21 21:16 <KAT> d-------- C:\Program Files\Microsoft Silverlight
2008-02-21 20:22 . 2008-02-21 20:22 <KAT> d-------- C:\Program Files\Trend Micro
2008-02-20 17:14 . 2008-02-20 17:21 91,700 --a------ C:\Windows\System32\drivers\klin.dat
2008-02-20 17:14 . 2008-02-20 17:14 85,860 --a------ C:\Windows\System32\drivers\klick.dat
2008-02-20 17:12 . 2008-03-14 18:13 <KAT> d-------- C:\Users\All Users\Kaspersky Lab
2008-02-20 17:12 . 2008-03-14 18:13 <KAT> d-------- C:\ProgramData\Kaspersky Lab
2008-02-20 17:12 . 2008-02-20 17:12 <KAT> d-------- C:\Program Files\Kaspersky Lab
2008-02-20 17:12 . 2008-03-13 22:45 75,634,976 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-02-20 17:12 . 2008-03-13 22:45 915,068 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-02-20 17:11 . 2008-02-20 17:11 <KAT> d-------- C:\kav
2008-02-19 08:20 . 2008-02-19 08:20 54,156 --ah----- C:\Windows\QTFont.qfn
2008-02-19 08:20 . 2008-02-19 08:20 1,409 --a------ C:\Windows\QTFont.for
2008-02-17 22:08 . 2008-02-17 22:08 <KAT> d-------- C:\Program Files\Lavasoft
2008-02-16 11:26 . 2008-01-10 06:50 1,244,672 --a------ C:\Windows\System32\mcmde.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 20:39 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-13 20:31 --------- d-----w C:\ProgramData\Firefly Studios
2008-03-13 20:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-13 20:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 20:28 --------- d-----w C:\Program Files\ASUS
2008-03-12 20:03 --------- d-----w C:\Users\Karin\AppData\Roaming\uTorrent
2008-03-12 16:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-12 16:06 --------- d-----w C:\Program Files\Windows Mail
2008-03-09 20:02 --------- d-----w C:\Program Files\Java
2008-02-20 16:06 --------- d-----w C:\Program Files\F-Secure Internet Security
2008-02-20 16:03 --------- d-----w C:\ProgramData\F-Secure
2008-02-17 21:09 --------- d-----w C:\ProgramData\Lavasoft
2008-02-13 16:18 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 16:18 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 16:13 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-13 16:13 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 16:13 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 16:13 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-13 16:13 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-02-13 16:13 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 16:13 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-13 16:12 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 16:12 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 16:12 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 16:12 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 16:12 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 16:12 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 16:12 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 16:12 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 16:12 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 16:12 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 16:12 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-13 16:02 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 16:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 16:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 16:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-12 22:15 --------- d-----w C:\Program Files\Opera
2008-02-12 17:37 --------- d-----w C:\ProgramData\NVIDIA
2008-02-10 20:12 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-08 04:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-25 15:46 106,496 ----a-w C:\Windows\system32\drivers\Rtlh86.sys
2008-01-10 21:33 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-12-17 23:44 219,664 ----a-w C:\Windows\System32\klogon.dll
2007-12-14 10:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2007-08-30 14:25 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 22:33 1232896]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-12 02:01 1006264]
"JMB36X IDE Setup"="C:\Windows\RaidTool\xInsIDE.exe" [2007-03-20 13:36 36864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34 868352]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"Gainward"="C:\Windows\TBPanel.exe" [2007-03-23 09:32 2173744]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"eSnips"="D:\Program Files\eSnips\ClientGW.exe" [2007-09-16 12:04 720896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BF1CC96C-0554-42B5-B49B-583885904C9B}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)|Edge=TRUE|
"{AFE267D8-DFD0-42BD-9906-29994A0A9225}"= TCP:67:DHCP Discovery Service
"{5A07C521-38D5-478E-A106-4623B38FD94F}"= TCP:67:DHCP Discovery Service
"{2C0A12C8-52D1-4D5C-B30A-5E80BA153619}"= Disabled:TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{1F483068-1E25-403E-A3A5-1500EE22C073}"= UDP:C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{7D4050D0-7498-44CA-88F0-95264840C161}"= TCP:C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{8B649CF2-660B-428B-9557-A724C980BB43}"= UDP:C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
"{5F8B8096-1B29-4E60-9801-0C40889F2838}"= TCP:C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
"TCP Query User{6564CE08-4BF8-4C12-96A7-09C0072A3FB3}C:\users\karin\desktop\utorrent.exe"= UDP:C:\users\karin\desktop\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"UDP Query User{48F40CBD-8A6C-4AF9-8207-1F30059FCC9A}C:\users\karin\desktop\utorrent.exe"= TCP:C:\users\karin\desktop\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"TCP Query User{4DBD5268-6159-4627-8808-953CE1B54CBB}D:\program files\dc++\dcplusplus.exe"= UDP:D:\program files\dc++\dcplusplus.exe:DC++|Desc=DC++
"UDP Query User{F8487598-7A9F-47EC-9DA3-06758A665FDE}D:\program files\dc++\dcplusplus.exe"= TCP:D:\program files\dc++\dcplusplus.exe:DC++|Desc=DC++
"TCP Query User{F68C2FD5-8F1A-4C19-8FB0-53D0581F781C}D:\kav\kav7.0\english\setup.exe"= UDP:D:\kav\kav7.0\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup|Desc=Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{CD42146A-89B4-44C3-871B-4185E6C7D9DD}D:\kav\kav7.0\english\setup.exe"= TCP:D:\kav\kav7.0\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup|Desc=Kaspersky Anti-Virus 7.0 Setup
"TCP Query User{CB94F7E1-7416-417C-90F2-E3C2310858A3}H:\program\dc++\dcplusplus.exe"= Disabled:UDP:H:\program\dc++\dcplusplus.exe:DC++|Desc=DC++
"UDP Query User{951C22E3-E9F3-4FBF-8C04-F6907736A904}H:\program\dc++\dcplusplus.exe"= Disabled:TCP:H:\program\dc++\dcplusplus.exe:DC++|Desc=DC++
"{BCCCF145-BA70-416C-9FF5-68E3CAA39316}"= Disabled:UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9615CCC4-78BB-4883-8B7B-8BEFACD36267}"= Disabled:TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{6897F961-BD3F-48E5-B446-3EAA4ED4F77A}"= Disabled:UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6589B385-9B80-4593-8FFB-B88F6781ADCF}"= Disabled:TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{2FA52F40-18C6-42DE-98C9-007977A25D3F}F:\program\utorrent.exe"= Disabled:UDP:F:\program\utorrent.exe:utorrent|Desc=utorrent
"UDP Query User{19856BEB-420A-48A1-874C-7CA62DACA5A8}F:\program\utorrent.exe"= Disabled:TCP:F:\program\utorrent.exe:utorrent|Desc=utorrent
"TCP Query User{13041FFB-C315-4FF1-8186-DC6DBA4EA858}E:\alfa\torrenter\utorrent.exe"= Disabled:UDP:E:\alfa\torrenter\utorrent.exe:utorrent|Desc=utorrent
"UDP Query User{A42F802B-856A-4036-89ED-1FE64003843E}E:\alfa\torrenter\utorrent.exe"= Disabled:TCP:E:\alfa\torrenter\utorrent.exe:utorrent|Desc=utorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 Pnp680;SiI 680 ATA Controller;C:\Windows\system32\DRIVERS\pnp680.sys [2007-06-28 16:01]
R0 Pnp680r;Silicon Image SiI 0680 Medley Raid Controller;C:\Windows\system32\DRIVERS\pnp680r.sys [2007-07-19 23:44]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-10-16 11:05]
R2 ASDR;ASDR;C:\Windows\System32\ASDR.exe [2007-03-20 16:16]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\Windows\system32\DRIVERS\AsusVRC.sys [2007-01-29 16:12]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-01-25 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cda5c775-c680-11db-9c2f-806e6f6e6963}]
\shell\AutoRun\command - I:\ASUSACPI.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-13 21:41:23 C:\Windows\Tasks\User_Feed_Synchronization-{B1246932-49D6-42FC-8B5E-230A4A1B45B1}.job"
- C:\Windows\system32\msfeedssync.exe
.

thsnkd

#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:09 AM

Posted 15 March 2008 - 05:48 AM

Hey niraknirak,

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case DC++ 0.699). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Step #1

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: J2SE Runtime Environment 5.0 Update 11, Javaâ„¢ 6 Update 2, Javaâ„¢ 6 Update 3, Javaâ„¢ SE Runtime Environment 6 Update 1

Step #2

Please do another scan with Kaspersky and post back with its log and a fresh HijackThis log. Thanks.

Edited by Yourhighness, 15 March 2008 - 05:49 AM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:09 AM

Posted 15 March 2008 - 12:09 PM

As for the Malwarebytes' Antimalware, since you are running Vista - make sure you are running the installer with right-click and run as admininistrator. Additionally have a look at the following please: "Microsoft Visual Basic 6 Common Controls download"

Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 niraknirak

niraknirak
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 15 March 2008 - 08:37 PM

I did uninstall DC++ and removed it from the firewall.
No way I can install Malwarebytes' Antimalware. I run it as an administrator, I upgraded Microsoft Visual Basic 6 Common Controls download", I get the same error.

I ran a scan with Kaspersky but i cannot find a log file. I first ran a scan on the computer in safe mode and found this:
detected: virus Heur.Invader (modification) File: c:\users\karin\desktop\combofix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe

In safe mode kaspersky will not scan startup objects, but when I ran a scan later I had the same result - it finds this combofix file and identifies it as a threat. Why?

This is the latest hijackthis file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:03, on 2008-03-16
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\rundll32.exe
D:\Program Files\eSnips\ClientGW.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - D:\Program Files\eSnips\SnipBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Gainward] C:\Windows\TBPanel.exe /A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [eSnips] "D:\Program Files\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Snip to my eSnips account - D:\Program Files\eSnips\res\SnipIt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5F8F150-E4DB-47B6-BBE8-ADBB929CE4D7}: NameServer = 81.88.9.218
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASDR - Unknown owner - C:\Windows\System32\ASDR.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 7713 bytes

Tricky?

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:09 AM

Posted 16 March 2008 - 05:47 AM

Hey niraknirak,

Once the scan is complete it will display if your system has been infected.
->Now click on the Save as Text button and save it to the desktop.

The detection of the ComboFix file is what is called a false-positive and you should not worry about it.

Step #1

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #2

Please post back with the Kaspersky log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 niraknirak

niraknirak
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 16 March 2008 - 12:00 PM

Good idea, but no.
My computer lets me install the IE view for Firefox (My Internet Eplorer is dead, gone and refuses to be reached - that was my number one problem, the second one was that my computer refuses to recognice my DVD-burner. Seen in BIOS but not anywhere else).

When I try to accept the scan to install files it tries to open an internet explorer page and intenet eplorer will not open.

I have a laptop and could run a scan on this computer from that one. Just give me a clue how to share all of the computer.
Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users