Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • Please log in to reply
1 reply to this topic

#1 fazza

fazza

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 19 March 2008 - 10:14 AM

Here is ComboFix logfile:

ComboFix 08-03-18.1 - Sale 2008-03-19 15:49:53.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1765 [GMT 1:00]
Running from: C:\Documents and Settings\Sale\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-19 15:32 . 2008-03-19 15:32 <DIR> d-------- C:\ComboFix(2)
2008-03-19 01:07 . 2008-03-19 01:23 <DIR> d-------- C:\Documents and Settings\Sale\Application Data\LimeWire
2008-03-19 01:06 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-19 01:04 . 2008-03-19 01:04 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-19 00:58 . 2008-03-19 00:58 45 --a------ C:\TEST.XML
2008-03-19 00:55 . 2008-03-19 01:17 <DIR> d-------- C:\Program Files\LimeWire
2008-03-18 01:49 . 2008-03-18 01:49 <DIR> d-------- C:\Program Files\TGTSoft
2008-03-17 02:16 . 2008-03-17 02:16 <DIR> d-------- C:\Program Files\Elecard
2008-03-17 02:09 . 2008-03-17 02:10 <DIR> d-------- C:\Documents and Settings\Sale\Application Data\Media Player Classic
2008-03-13 23:46 . 2008-03-13 23:46 <DIR> d-------- C:\Documents and Settings\Sale\Application Data\InstallShield
2008-03-13 23:46 . 2007-07-26 16:15 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2008-03-13 23:37 . 2008-03-13 23:38 <DIR> d-------- C:\Program Files\Driver Magician
2008-03-13 23:37 . 2004-09-28 11:13 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-03-13 23:37 . 2005-01-12 11:19 456,536 --a------ C:\WINDOWS\system32\XCEEDZIP.DLL
2008-03-13 23:37 . 2004-08-11 15:55 110,602 --a------ C:\WINDOWS\system32\xcdsfx32.bin
2008-03-13 20:11 . 1998-11-22 20:46 600,576 --------- C:\WINDOWS\system\Ltwrp10n.dll
2008-03-13 20:05 . 2008-03-17 02:11 <DIR> d-------- C:\Program Files\Temp
2008-03-12 16:26 . 2008-03-12 16:26 <DIR> d-------- C:\Program Files\Gabest
2008-03-12 16:26 . 2008-03-12 16:26 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-03-10 05:36 . 2008-03-10 05:36 <DIR> d-------- C:\Program Files\AliveMedia
2008-03-10 05:36 . 2003-03-26 06:59 573,440 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2008-03-10 05:36 . 2002-12-03 03:02 491,520 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2008-03-10 05:36 . 2003-03-25 15:08 286,720 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll
2008-03-10 05:36 . 2002-12-03 03:11 143,872 --a------ C:\WINDOWS\system32\NCTWMAFile.dll
2008-03-10 05:36 . 2002-03-19 07:18 120,832 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-03-05 15:11 . 2008-03-05 15:11 2,281 --a------ C:\WINDOWS\BorisRED4.1.ini
2008-03-05 15:03 . 2008-03-05 15:03 1,937 --a------ C:\WINDOWS\BorisRED4.0.ini
2008-03-05 14:33 . 2008-03-05 15:11 <DIR> d-------- C:\Program Files\Boris FX, Inc
2008-03-05 14:04 . 2008-03-05 14:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-05 03:27 . 2008-03-05 03:27 <DIR> d-------- C:\WINDOWS\cluster
2008-03-05 03:27 . 2008-03-05 03:27 <DIR> d-------- C:\SFU
2008-03-05 01:06 . 2008-03-05 01:06 <DIR> d-------- C:\Program Files\Symantec
2008-03-04 05:55 . 2008-03-04 05:55 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-04 05:55 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-03-01 19:14 . 2008-03-01 19:17 592 --a------ C:\WINDOWS\chgkey.vbs
2008-03-01 18:29 . 2002-05-23 20:40 110,080 --a------ C:\WINDOWS\system32\nLame.dll
2008-03-01 18:29 . 2001-06-23 21:20 23,040 --a------ C:\WINDOWS\system32\auth.dll
2008-03-01 04:27 . 2008-03-01 04:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-01 04:27 . 2008-03-01 04:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-01 04:16 . 2008-03-01 04:15 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-01 04:16 . 2008-03-01 04:16 2,542 --a------ C:\WINDOWS\unins000.dat
2008-03-01 04:04 . 2008-03-01 04:04 <DIR> d-------- C:\WINDOWS\Funnsystems
2008-03-01 02:43 . 2005-03-03 20:32 86,094 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-02-29 22:16 . 2008-02-29 22:16 <DIR> d-------- C:\Program Files\SoftByte Labs
2008-02-29 21:27 . 2008-02-29 21:27 <DIR> d-------- C:\Program Files\DVD Ripper Wizard
2008-02-29 16:06 . 2008-02-29 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bimesoft
2008-02-25 22:08 . 2008-02-25 22:08 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-02-24 15:19 . 2008-02-24 15:19 <DIR> d-------- C:\Documents and Settings\Sale\Application Data\TVU Networks
2008-02-24 15:18 . 2008-02-24 15:30 <DIR> d-------- C:\Program Files\Satellite TV for PC
2008-02-22 02:38 . 2008-02-22 02:38 <DIR> d-------- C:\Program Files\URUSoft
2008-02-20 02:09 . 2008-02-20 02:09 177 --a------ C:\WINDOWS\usdthank.ini
2008-02-20 02:09 . 2008-02-20 02:09 31 --a------ C:\WINDOWS\idc.ini
2008-02-20 01:45 . 2008-02-20 01:46 <DIR> d-------- C:\Program Files\MPEG2_Decoders
2008-02-20 01:03 . 2008-02-20 01:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-02-19 03:01 . 2008-02-20 01:32 <DIR> d-------- C:\Program Files\Real
2008-02-19 03:01 . 2008-02-19 03:01 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 14:13 --------- d-----w C:\Documents and Settings\Sale\Application Data\uTorrent
2008-03-19 00:06 --------- d-----w C:\Program Files\Java
2008-03-19 00:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-18 23:46 --------- d-----w C:\Program Files\eMule
2008-03-18 00:56 --------- d-----w C:\Program Files\ApexDC++
2008-03-17 01:16 --------- d-----w C:\Program Files\Common Files\Elecard
2008-03-13 22:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 19:11 86,400 ----a-w C:\WINDOWS\~GLC0000.TMP
2008-03-12 15:26 --------- d-----w C:\Program Files\AutoGK
2008-03-07 00:44 --------- d-----w C:\Program Files\Advanced System Optimizer
2008-03-06 23:13 --------- d-----w C:\Program Files\Your Uninstaller 2008
2008-03-06 22:49 --------- d-----w C:\Program Files\Cyberlink
2008-03-05 13:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-04 04:55 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-04 02:07 --------- d-----w C:\Documents and Settings\Sale\Application Data\VideoReDoPlus
2008-03-01 03:34 --------- d-----w C:\Program Files\Spyware Terminator
2008-03-01 03:33 --------- d-----w C:\Documents and Settings\Sale\Application Data\Spyware Terminator
2008-03-01 03:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 03:23 --------- d-----w C:\Documents and Settings\Sale\Application Data\Lavasoft
2008-03-01 03:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-01 00:52 --------- d-----w C:\Program Files\MagicISO
2008-02-20 01:30 --------- d-----w C:\Program Files\TechniSat DVB
2008-02-19 02:01 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 22:19 --------- d-----w C:\Program Files\Bejeweled 2 Deluxe
2008-02-15 22:17 720,896 ----a-w C:\WINDOWS\iun6002ev.exe
2008-02-13 00:52 --------- d-----w C:\Program Files\Crystal Player
2008-02-12 23:29 --------- d-----w C:\Program Files\AC3Filter
2008-02-12 23:22 --------- d-----w C:\Program Files\No-IP
2008-02-12 18:32 --------- d-----w C:\Program Files\QuickTime
2008-02-12 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Technisat
2008-02-11 17:01 --------- d-----w C:\Program Files\DiskTrix
2008-02-11 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-02-05 21:46 --------- d-----w C:\Program Files\VSTplugins
2008-02-05 21:43 --------- d-----w C:\Documents and Settings\Sale\Application Data\Sony
2008-02-05 21:42 --------- d-----w C:\Program Files\Sony
2008-02-04 02:02 --------- d-----w C:\Documents and Settings\LocalService\Application Data\CyberLink
2008-01-31 03:04 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-29 23:40 --------- d-----w C:\Program Files\Video Convert Master
2008-01-29 23:39 47,360 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-01-28 15:59 --------- d-----w C:\Documents and Settings\Sale\Application Data\ATI
2008-01-28 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-01-28 15:57 --------- d-----w C:\Program Files\ATI Technologies
2008-01-28 15:35 --------- d-----w C:\Program Files\Realtek
2008-01-28 15:31 --------- d-----w C:\Program Files\AutoPatcher
2008-01-28 15:17 --------- d-----w C:\Program Files\mIRC
2008-01-28 01:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2008-01-28 01:22 392,320 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2008-01-28 01:22 32,768 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-01-28 01:22 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-01-27 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-24 17:16 --------- d-----w C:\Program Files\Common Files\DMT
2008-01-24 16:52 --------- d-----w C:\Program Files\Common Files\Moonlight
2008-01-24 16:51 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-01-24 04:07 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-24 04:07 --------- d--h--r C:\Documents and Settings\Sale\Application Data\SecuROM
2008-01-24 02:16 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-01-23 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-01-23 15:02 --------- d-----w C:\Program Files\Common Files\DirectX
2008-01-23 15:01 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-23 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-23 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-01-23 01:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
2008-01-22 20:44 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-01-22 20:36 9,949,184 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-01-22 20:35 122,880 ------w C:\WINDOWS\system32\ati2evxx.dll
2008-01-22 20:04 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-01-22 19:57 163,840 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-01-22 18:56 --------- d-----w C:\Documents and Settings\Sale\Application Data\muvee Technologies
2008-01-19 00:37 --------- d-----w C:\Program Files\Google
2007-11-13 02:23 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2007-11-13 02:23 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-11-13 02:23 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007111320071114\index.dat
2007-11-13 02:23 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2007-02-16 23:41 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NFS Shell Icon Overlay Identifier]
@={04EA2470-913A-11D2-8CB8-0000F8083420}

[HKEY_CLASSES_ROOT\CLSID\{04EA2470-913A-11D2-8CB8-0000F8083420}]
2003-11-08 14:42 61136 -ra------ C:\WINDOWS\system32\nfssprop.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 19:31 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartGuardian"="C:\Program Files\ITE\Smart Guardian\ITESMART.exe" [2007-10-16 18:19 196608]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-05 12:05 1410304]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 09:12 90112]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2006-11-08 12:36 151552]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-19 03:01 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-06-27 15:34 124928 C:\WINDOWS\system32\advpack.dll]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []
"IE7-11"="advpack.dll" [2007-06-27 15:34 124928 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Sale\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-11-15 00:57:07 1172992]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 18:57:16 2913584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent 1.6.1.490.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Cyberlink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\Cyberlink\\PowerCinema\\PCMService.exe"=

S1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-05 12:06]
S2 Mapsvc;User Name Mapping;C:\SFU\Mapper\mapsvc.exe [2003-11-08 14:42]
S2 NfsSvc;Server for NFS;C:\WINDOWS\system32\nfssvc.exe [2003-11-08 14:42]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 05:56]
S3 3xHybrid;Philips SAA713x PCI Card;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2006-11-22 08:53]
S3 FileObjInfo;STFileDriver;C:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [2007-11-30 01:52]
S3 NfsSvr;NfsSvr;C:\WINDOWS\system32\drivers\nfssvr.sys [2003-11-08 14:42]
S3 PLFF;USB Flash Disk Driver;C:\WINDOWS\system32\Drivers\PLFF.sys [2003-10-06 11:29]
S3 Portmap;Portmap;C:\WINDOWS\system32\drivers\portmap.sys [2003-11-08 14:42]
S3 RpcXdr;RpcXdr;C:\WINDOWS\system32\drivers\rpcxdr.sys [2003-11-08 14:42]
S3 SKYNET;TechniSat DVB-PC TV Star PCI;C:\WINDOWS\system32\DRIVERS\SkyNET.SYS [2006-03-14 02:22]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-04 05:55]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{014f5ea8-ae76-11dc-86c0-00d0d709c191}]
\Shell\Auto\command - UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

*Newly Created Service* - PXHELP20
.
Contents of the 'Scheduled Tasks' folder
"2008-03-14 16:17:53 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.






and Hijackthis logifile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13, on 2008-03-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\SFU\Mapper\mapsvc.exe
C:\WINDOWS\system32\nfssvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\ITE\Smart Guardian\ITESMART.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Totalcmd\TOTALCMD.EXE
C:\Documents and Settings\Sale\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESMART.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Quick Login www.yu-mp3.com - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe (file missing)
O9 - Extra 'Tools' menuitem: &Quick Login www.yu-mp3.com - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201477632472
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201477624269
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8334 bytes



What do you think? Am I clean? :blink:

10x in advance! :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 07 April 2008 - 02:47 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
As you can probably see our HijackThis Team is incredibly busy at the moment, but I apologise for the delay you have experienced. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:
Preparation Guide For Use Before Posting A HijackThis Log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users