Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo Trojan


  • This topic is locked This topic is locked
10 replies to this topic

#1 Shadow_Dancers

Shadow_Dancers

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 04 March 2008 - 04:02 PM

I've been infected with the Vundo trojan for about a week now and VundoFix and VirtuMundoBegone have not worked (tried twice in safe mode). It seems that Vundo is downloading other trojans (Metajuan and Awax) into my system (That's actually merely an assumption).

I have renamed the HJT file to Scanner.exe to prevent vundo from possibly hiding itself. Symantec Antivirus and Ad-Aware 2007 have been used multiple times, but they can only clean the trojan temporarily.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:00 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Note: my default browser is actually Firefox.
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C0F2943-81AA-4BE4-A06B-0EF89B2D9E54} - C:\WINDOWS\system32\pmnnk.dll
O2 - BHO: (no name) - {3A2FF3C5-EDFF-46CE-BBA0-7A68B2499DBA} - C:\WINDOWS\system32\rqroomm.dll
O2 - BHO: (no name) - {3ABDB789-EBA5-4C35-AC3C-C1C8E5D5BE92} - C:\Program Files\folder.htt\poryb89104.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F6DDD677-149C-42FE-AB2F-4699B7DB1949} - C:\Program Files\desktop.ini\poryb89104.dll (file missing)
O2 - BHO: {1de1a7b6-1add-4b79-46d4-7d3b8767ddef} - {fedd7678-b3d7-4d64-97b4-dda16b7a1ed1} - C:\WINDOWS\system32\cqieuaqg.dll
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [45ac0860] rundll32.exe "C:\WINDOWS\system32\bkvgproa.dll",b
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\ABITEQ\ABITEQ.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA0DC175-240B-41F3-9377-28FA66B04E48}: NameServer = 24.200.241.37
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O20 - Winlogon Notify: rqroomm - C:\WINDOWS\SYSTEM32\rqroomm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 9577 bytes

BC AdBot (Login to Remove)

 


m

#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:46 PM

Posted 05 March 2008 - 05:00 PM

Hi Shadow_Dancers,
I will be handling your log and helping you to get cleaned up.

Please take note of the following:

1. Please do not make any system changes yet. as any changes you make may well alter your log.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Starbuck

BBPP6nz.png


#3 Shadow_Dancers

Shadow_Dancers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 05 March 2008 - 05:47 PM

Thank you for answering Starbuck!

I have one simple question: after posting my HJT log, I have downloaded the file from Microsoft that allows ComboFix to install the Recovery Console. I did this because I don't know if said console is installed. I have not used ComboFix or even downloaded it though.. Will this make any substantial difference as to what will appear in my HJT log?

Thank you,

Shadow_Dancers

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:46 PM

Posted 05 March 2008 - 06:03 PM

because I don't know if said console is installed

If it is installed you should see it as an option when your pc boots up.
But not to worry.... as long as you have installed it, it can only help.
Btw, it doesn't show in your Hjt log.

Speak soon.
Starbuck

BBPP6nz.png


#5 Shadow_Dancers

Shadow_Dancers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 05 March 2008 - 06:34 PM

Ok, I have no more questions. I guess we can commence the cleaning process :thumbsup:

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:46 PM

Posted 06 March 2008 - 03:04 AM

Hi Shadow_Dancers

Step 1
Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper left corner (Only If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Step 2
Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. This may cause it to stall

In your next reply, please submit:
ComboFix.txt
and a new Hjt log.

Thanks.

BBPP6nz.png


#7 Shadow_Dancers

Shadow_Dancers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 06 March 2008 - 10:42 AM

ComboFix 08-03-05.3 - SCHUTID 2008-03-06 9:26:46.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.869 [GMT -5:00]
Endroit: C:\Documents and Settings\SCHUTID\Bureau\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\network monitor
C:\WINDOWS\BM469f3bfc.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aiqwnbsp.ini
C:\WINDOWS\system32\cavljltj.dll
C:\WINDOWS\system32\cbxxwxx.dll
C:\WINDOWS\system32\ccllsdim.dll
C:\WINDOWS\system32\cqieuaqg.dll
C:\WINDOWS\system32\dexhpkax.ini
C:\WINDOWS\system32\ivtdbpkb.ini
C:\WINDOWS\system32\jrfuhqrf.ini
C:\WINDOWS\system32\jtljlvac.ini
C:\WINDOWS\system32\kenkheel.dll
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\lbjrypbt.ini
C:\WINDOWS\system32\midsllcc.ini
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\nhpebrrm.dll
C:\WINDOWS\system32\ntlewnsy.dll
C:\WINDOWS\system32\p6
C:\WINDOWS\system32\p6\kipon89104.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pboarnfh.dll
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\psbnwqia.dll
C:\WINDOWS\system32\rfahhhdv.ini
C:\WINDOWS\system32\rqroomm.dll
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini2
C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\woshdsks.dll
C:\WINDOWS\system32\ycubdxpl.ini
C:\WINDOWS\system32\yivcichs.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((((((( Fichiers créés 2008-02-06 to 2008-03-06 ))))))))))))))))))))))))))))))))))))
.

2008-03-06 09:13 . 2008-03-06 09:14 <REP> d-------- C:\Program Files\HostsXpert
2008-03-05 10:14 . 2008-03-05 10:14 1,307,440 ---hs---- C:\WINDOWS\system32\itjfcsbp.ini
2008-03-04 18:50 . 2008-03-05 12:18 <REP> d-------- C:\Documents and Settings\SCHUTID\Application Data\PKWARE
2008-03-04 13:01 . 2008-03-05 10:02 1,307,380 ---hs---- C:\WINDOWS\system32\aorpgvkb.ini
2008-03-03 21:09 . 2008-03-03 21:09 <REP> dr-h----- C:\Documents and Settings\SCHUTID\Application Data\SecuROM
2008-03-03 16:45 . 2008-03-03 16:45 268 --ah----- C:\sqmdata00.sqm
2008-03-03 16:45 . 2008-03-03 16:45 244 --ah----- C:\sqmnoopt00.sqm
2008-03-03 11:50 . 2008-03-04 14:17 <REP> d-------- C:\VundoFix Backups
2008-03-03 07:59 . 2008-03-03 07:59 2,318,370 ---hs---- C:\WINDOWS\system32\lktpoxui.ini
2008-03-03 07:54 . 2008-03-03 10:18 1,307,462 ---hs---- C:\WINDOWS\system32\yiyjyrov.ini
2008-02-27 23:36 . 2008-02-27 23:36 <REP> d-------- C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\Intuit Canada
2008-02-27 23:35 . 2008-02-27 23:52 <REP> d-------- C:\Program Files\ImpotRapide 2007
2008-02-27 23:35 . 2008-02-27 23:35 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-02-27 17:14 . 2008-02-27 17:14 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-02-27 06:43 . 2008-02-27 06:43 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Inspiration Software
2008-02-27 06:36 . 2008-02-27 06:37 1,460,578 ---hs---- C:\WINDOWS\system32\oxqvisul.ini
2008-02-26 20:17 . 2008-02-27 06:24 2,009,174 ---hs---- C:\WINDOWS\system32\crwonlrr.ini
2008-02-25 23:27 . 2008-02-25 23:27 <REP> d-------- C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\PGP Corporation
2008-02-25 23:23 . 2008-02-25 23:36 <REP> d-------- C:\Program Files\Fichiers communs\PGP Corporation
2008-02-25 23:23 . 2008-02-25 23:23 102,352 --a------ C:\WINDOWS\system32\PGPlspRollback.reg
2008-02-25 22:37 . 2008-03-06 09:53 <REP> d-------- C:\Program Files\Symantec AntiVirus
2008-02-25 22:37 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-25 22:37 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-24 20:40 . 2008-02-24 20:40 <REP> d-------- C:\Temp\check
2008-02-23 17:08 . 2008-02-27 19:54 <REP> d-------- C:\Temp
2008-02-23 17:08 . 2006-01-03 17:45 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-02-23 13:51 . 2008-02-23 17:08 134 --a------ C:\n.bat
2008-02-23 13:50 . 2008-02-23 13:50 <REP> d-------- C:\WINDOWS\system32\ap8
2008-02-10 12:39 . 2008-02-17 16:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-10 12:39 . 2008-02-10 12:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-09 15:02 . 2008-02-09 15:02 <REP> d-------- C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\PKWARE
2008-02-09 15:02 . 2008-02-09 15:02 <REP> d-------- C:\Documents and Settings\All Users\Application Data\PKWARE
2008-02-09 15:01 . 2008-02-09 15:01 <REP> d-------- C:\Program Files\PKWARE
2008-02-09 15:01 . 2008-02-09 15:01 <REP> d-------- C:\Program Files\Fichiers communs\PKWARE

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 15:25 --------- d-----w C:\Program Files\Steam
2008-03-04 16:53 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-03-03 21:05 --------- d-----w C:\Program Files\Inspiration 8 IE
2008-02-28 04:35 --------- d-----w C:\Program Files\Fichiers communs\AnswerWorks 4.0
2008-02-28 00:11 5,264 ----a-w C:\WINDOWS\system32\drivers\PROCEXP.SYS
2008-02-26 03:51 --------- d-----w C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\uTorrent
2008-02-26 03:38 --------- d-----w C:\Program Files\Symantec
2008-02-26 03:38 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2008-02-26 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-25 02:35 --------- d-----w C:\Program Files\BaldursGateTutu
2008-02-25 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-25 01:24 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-23 19:54 --------- d-----w C:\Program Files\Picasa2
2008-02-09 23:03 --------- d-----w C:\Program Files\Black Isle
2008-02-09 18:38 --------- d-----w C:\Program Files\Google
2008-02-04 23:06 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-02 18:31 --------- d-----w C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\Canon
2008-02-01 03:38 --------- d-----w C:\Program Files\Maxis
2008-01-09 23:42 --------- d-----w C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\Inspiration Software
2008-01-07 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-22 22:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-07 01:07 663,552 ----a-w C:\WINDOWS\system32\wininet.dll
2006-01-15 00:37 1,388 ----a-w C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\ViewerApp.dat
2003-10-21 19:18 271 --sh--w C:\Program Files\desktop.ini
2003-10-21 19:18 21,952 ---h--w C:\Program Files\folder.htt
2005-08-19 23:04 56 --sh--r C:\WINDOWS\system32\E36AFBAA61.sys
2005-08-19 23:04 3,766 --sh--w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ABDB789-EBA5-4C35-AC3C-C1C8E5D5BE92}]
C:\Program Files\folder.htt\poryb89104.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6DDD677-149C-42FE-AB2F-4699B7DB1949}]
C:\Program Files\desktop.ini\poryb89104.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32 81920]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:09 15360]
"ABIT uGuruIII"="C:\Program Files\ABIT\ABITEQ\ABITEQ.exe" [2006-02-22 17:55 417792]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-12-26 21:12 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 18:09 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1utcontr.exe]
C:\Program Files\User Time Control Center\utcontr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
--------- 2006-02-22 17:55 417792 C:\Program Files\ABIT\ABITEQ\ABITEQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--------- 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-07-19 19:26 52896 C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-19 18:09 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--------- 2004-08-22 16:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-17 08:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 11:32 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-10-23 16:18 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2006-03-04 19:51 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--------- 2004-03-18 08:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Symantec AntiVirus"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"Reset 5"=2 (0x2)
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Warcraft 3 Frozen Throne

R0 ABIT-IO;ABIT-IO;C:\WINDOWS\system32\Drivers\ABIT-IO.sys [2005-12-08 14:53]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2004-01-29 01:32]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S1 SysTool;SysTool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\SysTool.sys [2006-11-10 08:08]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
S3 cel90xbe;cel90xbe;C:\DOCUME~1\SCHUTID\LOCALS~1\Temp\cel90xbe.sys []
S3 netflx3;Pilote de carte Compaq NetFlex-3/Netelligent;C:\WINDOWS\system32\DRIVERS\netflx3.sys [2001-08-23 16:10]
S3 o1394bul;o1394bul;C:\DOCUME~1\SCHUTID\LOCALS~1\Temp\o1394bul.sys []
S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []
S3 XIRLINK;IBM PC Camera;C:\WINDOWS\system32\DRIVERS\C-itnt.sys [2002-03-12 20:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 10:25:30
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-03-06 10:28:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 15:28:12
.
2008-02-13 00:07:51 --- E O F ---


--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:23 AM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ABDB789-EBA5-4C35-AC3C-C1C8E5D5BE92} - C:\Program Files\folder.htt\poryb89104.dll (file missing)
O2 - BHO: (no name) - {F6DDD677-149C-42FE-AB2F-4699B7DB1949} - C:\Program Files\desktop.ini\poryb89104.dll (file missing)
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\ABITEQ\ABITEQ.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA0DC175-240B-41F3-9377-28FA66B04E48}: NameServer = 24.200.241.37
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 5701 bytes




Questions:

1.When I booted ComboFix, an error immediately appeared, saying that the installation had failed. However, ComboFix showed up still and ran (as you can see). Is this normal?
2. ComboFix made IE my default browser again. Now I don't really care as I simply put Firefox back as my default browser, but is this normal?
3. ComboFix made my computer reboot. Again, normal?


Thank you,

Shadow_Dancers

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:46 PM

Posted 07 March 2008 - 01:59 PM

Hi Shadow_Dancers

When I booted ComboFix, an error immediately appeared, saying that the installation had failed. However, ComboFix showed up still and ran (as you can see). Is this normal?

Did you make sure that all AV/Firewall was closed down? This may have effected it. But as it did run, it's ok.

ComboFix made IE my default browser again. Now I don't really care as I simply put Firefox back as my default browser, but is this normal?

Yes, it's ok.... because CF doesn't recognise what your default browser was, it resets it IE.
Changing it back is no problem.

ComboFix made my computer reboot. Again, normal?

Yes... if it needed to remove something that required a reboot, then it would do this.

Step 1
Run Hijackthis again, click scan, and Put a checkmark next to each of these items.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {3ABDB789-EBA5-4C35-AC3C-C1C8E5D5BE92} - C:\Program Files\folder.htt\poryb89104.dll (file missing)
O2 - BHO: (no name) - {F6DDD677-149C-42FE-AB2F-4699B7DB1949} - C:\Program Files\desktop.ini\poryb89104.dll (file missing)


Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.
Reboot your computer to complete the process.

Step 2
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
C:\WINDOWS\system32\itjfcsbp.ini
C:\WINDOWS\system32\aorpgvkb.ini
C:\WINDOWS\system32\lktpoxui.ini
C:\WINDOWS\system32\yiyjyrov.ini
C:\WINDOWS\system32\oxqvisul.ini
C:\WINDOWS\system32\crwonlrr.ini
C:\n.bat

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\ap8
C:\Temp

Driver::
cel90xbe
o1394bul
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 3
Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs, Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy & Paste the entire report in your next reply.

Inyour next reply, please submit:
New Combofix.txt
F-Secure report
and a new Hjt log.
can also tell me how things are running now.

Thanks

BBPP6nz.png


#9 Shadow_Dancers

Shadow_Dancers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 08 March 2008 - 09:31 AM

ComboFix 08-03-05.3 - SCHUTID 2008-03-07 21:30:02.2 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.937 [GMT -5:00]
Endroit: C:\Documents and Settings\SCHUTID\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\SCHUTID\Bureau\CFScript.txt
* Création d'un nouveau point de restauration

FILE ::
C:\n.bat
C:\WINDOWS\system32\aorpgvkb.ini
C:\WINDOWS\system32\crwonlrr.ini
C:\WINDOWS\system32\itjfcsbp.ini
C:\WINDOWS\system32\lktpoxui.ini
C:\WINDOWS\system32\oxqvisul.ini
C:\WINDOWS\system32\yiyjyrov.ini
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\n.bat
C:\Temp
C:\Temp\check\Fport.exe
C:\Temp\check\handle.exe
C:\Temp\check\KILL.EXE
C:\Temp\check\procexp.exe
C:\Temp\check\psexec.exe
C:\Temp\check\pskill.exe
C:\Temp\check\pslist.exe
C:\Temp\check\pulist.exe
C:\Temp\check\sl.exe
C:\Temp\check\SNScan.exe
C:\VundoFix Backups
C:\VundoFix Backups\gebyy.dll.bad
C:\VundoFix Backups\yybeg.ini.bad
C:\VundoFix Backups\yybeg.ini2.bad
C:\WINDOWS\system32\aorpgvkb.ini
C:\WINDOWS\system32\ap8
C:\WINDOWS\system32\ap8\yula4403.exe
C:\WINDOWS\system32\crwonlrr.ini
C:\WINDOWS\system32\itjfcsbp.ini
C:\WINDOWS\system32\lktpoxui.ini
C:\WINDOWS\system32\oxqvisul.ini
C:\WINDOWS\system32\yiyjyrov.ini
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CEL90XBE
-------\LEGACY_O1394BUL
-------\cel90xbe
-------\o1394bul


((((((((((((((((((((((((((((( Fichiers créés 2008-02-08 to 2008-03-08 ))))))))))))))))))))))))))))))))))))
.

2008-03-07 20:03 . 2008-03-07 20:03 244 --ah----- C:\sqmnoopt01.sqm
2008-03-07 20:03 . 2008-03-07 20:03 232 --ah----- C:\sqmdata01.sqm
2008-03-06 09:13 . 2008-03-06 09:14 <REP> d-------- C:\Program Files\HostsXpert
2008-03-04 18:50 . 2008-03-05 12:18 <REP> d-------- C:\Documents and Settings\SCHUTID\Application Data\PKWARE
2008-03-03 21:09 . 2008-03-03 21:09 <REP> dr-h----- C:\Documents and Settings\SCHUTID\Application Data\SecuROM
2008-03-03 16:45 . 2008-03-03 16:45 268 --ah----- C:\sqmdata00.sqm
2008-03-03 16:45 . 2008-03-03 16:45 244 --ah----- C:\sqmnoopt00.sqm
2008-02-27 23:36 . 2008-02-27 23:36 <REP> d-------- C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\Intuit Canada
2008-02-27 23:35 . 2008-02-27 23:52 <REP> d-------- C:\Program Files\ImpotRapide 2007
2008-02-27 23:35 . 2008-02-27 23:35 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-02-27 17:14 . 2008-02-27 17:14 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-02-27 06:43 . 2008-02-27 06:43 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Inspiration Software
2008-02-25 23:27 . 2008-02-25 23:27 <REP> d-------- C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\PGP Corporation
2008-02-25 23:23 . 2008-02-25 23:36 <REP> d-------- C:\Program Files\Fichiers communs\PGP Corporation
2008-02-25 23:23 . 2008-02-25 23:23 102,352 --a------ C:\WINDOWS\system32\PGPlspRollback.reg
2008-02-25 22:37 . 2008-03-07 21:35 <REP> d-------- C:\Program Files\Symantec AntiVirus
2008-02-25 22:37 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-25 22:37 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-10 12:39 . 2008-02-17 16:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-10 12:39 . 2008-02-10 12:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-09 15:02 . 2008-02-09 15:02 <REP> d-------- C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\PKWARE
2008-02-09 15:02 . 2008-02-09 15:02 <REP> d-------- C:\Documents and Settings\All Users\Application Data\PKWARE
2008-02-09 15:01 . 2008-02-09 15:01 <REP> d-------- C:\Program Files\PKWARE
2008-02-09 15:01 . 2008-02-09 15:01 <REP> d-------- C:\Program Files\Fichiers communs\PKWARE

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 02:22 --------- d-----w C:\Program Files\Steam
2008-03-08 01:03 --------- d-----w C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\uTorrent
2008-03-04 16:53 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-03-03 21:05 --------- d-----w C:\Program Files\Inspiration 8 IE
2008-02-28 04:35 --------- d-----w C:\Program Files\Fichiers communs\AnswerWorks 4.0
2008-02-28 00:11 5,264 ----a-w C:\WINDOWS\system32\drivers\PROCEXP.SYS
2008-02-26 03:38 --------- d-----w C:\Program Files\Symantec
2008-02-26 03:38 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2008-02-26 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-25 02:35 --------- d-----w C:\Program Files\BaldursGateTutu
2008-02-25 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-23 19:54 --------- d-----w C:\Program Files\Picasa2
2008-02-09 23:03 --------- d-----w C:\Program Files\Black Isle
2008-02-09 18:38 --------- d-----w C:\Program Files\Google
2008-02-02 18:31 --------- d-----w C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\Canon
2008-02-01 03:38 --------- d-----w C:\Program Files\Maxis
2008-01-09 23:42 --------- d-----w C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\Inspiration Software
2006-01-15 00:37 1,388 ----a-w C:\Documents and Settings\Jeffrey.IBM-AMD64\Application Data\ViewerApp.dat
2003-10-21 19:18 271 --sh--w C:\Program Files\desktop.ini
2003-10-21 19:18 21,952 ---h--w C:\Program Files\folder.htt
2005-08-19 23:04 56 --sh--r C:\WINDOWS\system32\E36AFBAA61.sys
2005-08-19 23:04 3,766 --sh--w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-06_10.28.00.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-08 02:38:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat
+ 2008-03-08 02:38:44 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7c0.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32 81920]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:09 15360]
"ABIT uGuruIII"="C:\Program Files\ABIT\ABITEQ\ABITEQ.exe" [2006-02-22 17:55 417792]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-12-26 21:12 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 18:09 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1utcontr.exe]
C:\Program Files\User Time Control Center\utcontr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
--------- 2006-02-22 17:55 417792 C:\Program Files\ABIT\ABITEQ\ABITEQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--------- 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-07-19 19:26 52896 C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-19 18:09 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--------- 2004-08-22 16:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-17 08:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 11:32 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-10-23 16:18 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2006-03-04 19:51 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--------- 2004-03-18 08:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Symantec AntiVirus"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"Reset 5"=2 (0x2)
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Warcraft 3 Frozen Throne

R0 ABIT-IO;ABIT-IO;C:\WINDOWS\system32\Drivers\ABIT-IO.sys [2005-12-08 14:53]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2004-01-29 01:32]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S1 SysTool;SysTool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\SysTool.sys [2006-11-10 08:08]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
S3 netflx3;Pilote de carte Compaq NetFlex-3/Netelligent;C:\WINDOWS\system32\DRIVERS\netflx3.sys [2001-08-23 16:10]
S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []
S3 XIRLINK;IBM PC Camera;C:\WINDOWS\system32\DRIVERS\C-itnt.sys [2002-03-12 20:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 21:37:38
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-03-07 21:41:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 02:41:54
ComboFix2.txt 2008-03-06 15:28:15
.
2008-02-13 00:07:51 --- E O F ---




---------------------------------------------------------------------------------------------------------




Scanning Report
Friday, March 07, 2008 21:50:16 - 08:44:56

Computer name: IBM-AMD64
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ F:\
Result: 2 malware found
Tracking Cookie (spyware)

* System

W32/HackSrvany.A (virus)

* C:\WINDOWS\SYSTEM32\SRVANY.EXE (Submitted)

Statistics
Scanned:

* Files: 83251
* System: 4342
* Not scanned: 42

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\$NTUNINSTALLKB835732$\BROWSER.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE
* C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL

Options
Scanning engines:

* F-Secure USS: 2.20.0
* F-Secure Hydra: 2.6.7470, 2008-03-07
* F-Secure AVP: 7.0.171, 2008-03-07
* F-Secure Pegasus: 1.20.0, 2008-02-03
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics



------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:37 AM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\ABITEQ\ABITEQ.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA0DC175-240B-41F3-9377-28FA66B04E48}: NameServer = 24.200.241.37
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 5393 bytes



That's about it. The computer's been running OK for some time now.

#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:46 PM

Posted 09 March 2008 - 05:49 AM

Hi Shadow_Dancers

Glad to hear everything is running fine.
Logs look good.... well done
Just some final finishing off to do.

Step 1
As you previously stated that you had used:
VundoFix and VirtuMundoBegone
These can now be removed from your system ( if they are still there)
These programs are constantly being updated and if ever needed again... you'll need to download the newer version.

You can also remove:
HostXpert now.

Please uninstall ComboFix by
Clicking on Start ...then run ... and type in Combofix /u (don't forget there's is a gap between x and /) Then press Ok
Posted Image

When shown the disclaimer, Select "2"

This action will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Reset System Restore.

Step 2
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

To find out how you may have been infected....read this topic:
So how did i get infected?

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

BBPP6nz.png


#11 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:12:46 PM

Posted 17 March 2008 - 12:57 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users