Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.vundo.gen!pac.18 Infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 MikHornet

MikHornet

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 24 March 2008 - 06:46 AM

I seem to have a Malware infection on my computer. The PC Tools AntiVirus detected an Adware.Vundo.Gen!Pac.18 virus in a .dll file in the System32 folder. However, it’s not able to get rid of it. I got rid of some other infected files at the very beginning, using both Ad-aware and the PC Tools AntiVirus. The NOD32 doesn’t detect any infection. I also tried the VundoFix application, but it won’t even start giving me a missing file error message. I even tried the “Delete a file on reboot” tool in HijackThis on the infected file, but without any success. Here is the recent log I got, and actually there seems to be some more stuff that doesn’t belong there. Please advise what to do… thank a million.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:06, on 24. 3. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkCSrv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\system32\ASUSTPE.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3615EE58-6F38-47BA-9DD9-C99BD611C6A6} - C:\WINDOWS\system32\qomligg.dll
O2 - BHO: (no name) - {EFD7B584-1CA2-4D36-B648-824FB185FD27} - C:\WINDOWS\system32\pmkhi.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ASUSTPE] C:\WINDOWS\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ACMON] "C:\Program Files\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} (Google Gadget Control) - http://dl.google.com/dl/desktop/nv/GoogleG...PluginIEWin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: qomligg - C:\WINDOWS\SYSTEM32\qomligg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkCSrv.exe

--
End of file - 6433 bytes

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 AM

Posted 24 March 2008 - 11:54 AM

Hello MikHornet,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 MikHornet

MikHornet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 25 March 2008 - 06:33 AM

Hi Thanks for Your quick response. You really scared me with that first sentence, first moment I though I've done something wrong already :thumbsup:
Anyway, here is the log from the ComboFix application, and I'll post a nwe HJT log in the next post:

ComboFix 08-03-24.2 - Miso 2008-03-25 12:13:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.421 [GMT 1:00]
Running from: C:\Documents and Settings\Miso\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
CF6985.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\falehedr.dll
C:\WINDOWS\system32\fccdddb.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgdde.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\qomligg.dll
C:\WINDOWS\system32\rdehelaf.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-23 12:29 . 2008-03-23 12:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 11:14 . 2008-03-23 11:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-19 17:27 . 2008-03-19 17:27 <DIR> d-------- C:\Documents and Settings\Miso\Application Data\PC Tools
2008-03-19 17:26 . 2008-03-25 12:25 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-03-19 17:26 . 2008-03-19 17:26 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-03-19 17:26 . 2008-03-19 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-19 17:26 . 2007-12-06 16:51 28,568 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2008-03-19 17:26 . 2007-12-06 16:51 21,912 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2008-03-19 17:26 . 2008-02-12 11:44 21,904 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2008-03-19 15:31 . 2008-03-19 15:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-19 15:31 . 2008-03-19 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-19 15:29 . 2008-03-19 15:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-19 12:46 . 2008-03-19 17:40 1,531,660 ---hs---- C:\WINDOWS\system32\kgkltmwb.ini
2008-03-18 21:41 . 2008-03-18 21:41 57,344 --a------ C:\fcjhbfr.exe
2008-03-18 21:40 . 2008-03-18 21:41 5,120 --a------ C:\rvyvhncc.exe
2008-03-17 15:05 . 2008-03-19 12:39 1,371,584 ---hs---- C:\WINDOWS\system32\tvblmjlj.ini
2008-03-10 19:36 . 2008-03-10 21:08 34 --a------ C:\WINDOWS\cdplayer.ini
2008-03-10 19:07 . 2008-03-10 19:37 <DIR> d-------- C:\Program Files\audiograbber
2008-03-10 16:14 . 2008-03-10 16:14 <DIR> d-------- C:\Program Files\Opera
2008-03-10 16:10 . 2008-03-10 16:13 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-03-10 16:04 . 2008-03-10 16:04 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-10 14:08 . 2008-03-10 15:58 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-10 14:08 . 2008-03-10 14:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-10 11:30 . 2008-03-10 16:10 5,186 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-03-10 01:03 . 2004-08-07 01:17 68,608 --a------ C:\WINDOWS\system32\plugin.ocx
2008-03-10 01:03 . 2004-08-07 01:17 68,608 --a------ C:\WINDOWS\system32\dllcache\plugin.ocx
2008-03-10 01:01 . 2008-03-10 01:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-10 00:41 . 2008-03-10 00:48 32,764 --a------ C:\WINDOWS\17PHolmes572.exe
2008-03-10 00:27 . 2006-12-19 09:53 1,872,821 --a------ C:\WINDOWS\system32\cygwin1.dll
2008-03-10 00:27 . 2006-10-17 22:29 487,479 --a------ C:\WINDOWS\system32\SkinMagic.dll
2008-03-10 00:27 . 2006-10-16 01:10 66,048 --a------ C:\WINDOWS\system32\cygz.dll
2008-03-09 22:45 . 2008-03-09 22:45 <DIR> d-------- C:\Program Files\Xvid
2008-03-09 22:45 . 2008-03-25 12:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-09 22:45 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-03-09 22:45 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2008-03-09 22:45 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2008-03-09 22:45 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2008-03-09 22:45 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
2008-03-09 22:45 . 2008-03-09 23:06 67 --a------ C:\WINDOWS\AoADVDRipper.INI
2008-03-09 17:51 . 2008-03-15 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-06 17:03 . 2008-03-06 17:03 54,784 --a------ C:\Documents and Settings\Miso\win.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 07:41 --------- d-----w C:\Program Files\Google
2008-03-01 11:05 --------- d-----w C:\Program Files\ESET
2008-02-28 13:51 --------- d-----w C:\Program Files\StrongDC++
2008-02-15 12:59 --------- d-----w C:\Documents and Settings\Miso\Application Data\gtk-2.0
2008-02-09 00:07 --------- d-----w C:\Documents and Settings\Miso\Application Data\Skype
2008-02-02 12:00 --------- d-----w C:\Documents and Settings\Miso\Application Data\BSplayer Pro
2008-01-30 16:26 --------- d-----w C:\Program Files\Picasa2
2008-01-30 14:23 --------- d-----w C:\Documents and Settings\Miso\Application Data\skypePM
2008-01-28 20:55 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-20 14:04 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-30 12:24 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-30 12:19 270,336 ----a-w C:\WINDOWS\system32\imon.dll
2007-12-30 11:54 45,056 ----a-w C:\WINDOWS\system32\acovcnt.exe
2007-12-28 15:19 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 17:31 630784]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2007-07-19 15:41 49520]
"ASUSTPE"="C:\WINDOWS\system32\ASUSTPE.exe" [2007-01-16 16:13 106496]
"ATKOSD2"="C:\Program Files\ATKOSD2\ATKOSD2.exe" [2007-07-03 10:48 7708672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-30 13:19 917504]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-05-30 21:31 98304]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-16 13:19 81920]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 08:27 61440]
"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2007-07-10 10:59 851968]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-16 13:19 8478720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomligg]
qomligg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\StrongDC++\\StrongDC.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;C:\WINDOWS\System32\StkCSrv.exe [2007-04-19 06:42]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-02-16 08:50]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 04:04]
R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2007-01-15 14:37]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;C:\WINDOWS\system32\Drivers\StkCMini.sys [2007-06-06 10:40]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - E:\Directx\dxsetup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 12:25:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ntos.exe 442368 bytes executable
C:\WINDOWS\system32\wsnpoem

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
.
**************************************************************************
.
Completion time: 2008-03-25 12:30:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 11:30:01

#4 MikHornet

MikHornet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 25 March 2008 - 06:36 AM

..and here's the new HJT log. And thanks again :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:35, on 25. 3. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkCSrv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\system32\ASUSTPE.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\ASUS\ASUS Live Update\Liveupdt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ASUSTPE] C:\WINDOWS\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ACMON] "C:\Program Files\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} (Google Gadget Control) - http://dl.google.com/dl/desktop/nv/GoogleG...PluginIEWin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: qomligg - qomligg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkCSrv.exe

--
End of file - 6367 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 AM

Posted 26 March 2008 - 02:24 PM

Hello,

You're welcome. :thumbsup: You didn't do anything wrong. :wacko:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please let me know how it's running now. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 MikHornet

MikHornet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 27 March 2008 - 07:07 AM

Hi, thank you for all your advice, I really appreciate it.
I've done that and below I enclose both the logs. The computer seems slightly faster, although it still seems forever to get the Opera browser started. But it might be normal, I don't know about that. Anyway, here are the SDFix and HJT logs:


SDFix: Version 1.162

Run by Miso on Át 27. 03. 2008 at 12:49

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\17PHolmes572.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll.cla - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted



Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 12:56:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:75,33,ea,d1,c7,b3,ed,8a,44,cf,dc,f7,7f,70,62,27,92,e7,17,c5,f6,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:75,33,ea,d1,c7,b3,ed,8a,44,cf,dc,f7,7f,70,62,27,92,e7,17,c5,f6,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\StrongDC++\\StrongDC.exe"="C:\\Program Files\\StrongDC++\\StrongDC.exe:*:Enabled:StrongDC++"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 30 Jan 2008 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Tue 26 Feb 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 9 Feb 2008 995,328 A.SH. --- "C:\Documents and Settings\Miso\Desktop\fotos Lille\2008-02-11\SIV61.tmp"
Tue 26 Feb 2008 4,348 ...H. --- "C:\Documents and Settings\Miso\Application Data\Real\rhapsody\wmlicbackup\drmv1key.bak"
Tue 26 Feb 2008 20 A..H. --- "C:\Documents and Settings\Miso\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak"
Tue 26 Feb 2008 312 ...H. --- "C:\Documents and Settings\Miso\Application Data\Real\rhapsody\wmlicbackup\drmv2key.bak"
Tue 26 Feb 2008 1,536 A..H. --- "C:\Documents and Settings\Miso\Application Data\Real\rhapsody\wmlicbackup\drmv2lic.bak"

Finished!






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:05:59, on 27. 3. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkCSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\system32\ASUSTPE.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ASUSTPE] C:\WINDOWS\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ACMON] "C:\Program Files\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} (Google Gadget Control) - http://dl.google.com/dl/desktop/nv/GoogleG...PluginIEWin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: qomligg - qomligg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkCSrv.exe

--
End of file - 6320 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 AM

Posted 27 March 2008 - 01:11 PM

Hello,

You're welcome. :thumbsup:

Looking much better. :wacko: Go ahead and delete SDFix and reboot your computer. Please give ComboFix another run to see what's left, then we'll do a final cleanup and see about that slow browser. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 MikHornet

MikHornet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 28 March 2008 - 08:59 AM

Hi,

thank you, I'm glad it's looking better. Here are the new Combofix and HJT logs. And by the way, just before I deleted the SDFix application, the NOD32 realtime protection detected a trojan horse which it deleted on it's own. Just though you should know. Oh, and bout the Opera browser, it only starts slow after I reboot or start the PC, so i think it's probably normal, due to the other applications beeing loaded. If i start it later, not right after the Windows starts, it seems just fine.

Here are the logs:

ComboFix 08-03-26.3 - Miso 2008-03-27 14:48:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.492 [GMT 1:00]
Running from: C:\Documents and Settings\Miso\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 13:10 . 2008-02-25 08:59 524,288 -r-h----- C:\F5N.BIN
2008-03-27 12:46 . 2008-03-27 12:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-23 12:29 . 2008-03-23 12:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 11:14 . 2008-03-23 11:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-19 17:27 . 2008-03-19 17:27 <DIR> d-------- C:\Documents and Settings\Miso\Application Data\PC Tools
2008-03-19 17:26 . 2008-06-28 13:11 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-03-19 17:26 . 2008-03-19 17:26 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-03-19 17:26 . 2008-03-19 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-19 17:26 . 2007-12-06 16:51 28,568 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2008-03-19 17:26 . 2007-12-06 16:51 21,912 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2008-03-19 17:26 . 2008-02-12 11:44 21,904 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2008-03-19 15:31 . 2008-03-19 15:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-19 15:31 . 2008-03-19 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-19 15:29 . 2008-03-19 15:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-19 12:46 . 2008-03-19 17:40 1,531,660 ---hs---- C:\WINDOWS\system32\kgkltmwb.ini
2008-03-18 21:40 . 2008-03-18 21:41 5,120 --a------ C:\rvyvhncc.exe
2008-03-17 15:05 . 2008-03-19 12:39 1,371,584 ---hs---- C:\WINDOWS\system32\tvblmjlj.ini
2008-03-10 19:36 . 2008-03-10 21:08 34 --a------ C:\WINDOWS\cdplayer.ini
2008-03-10 19:07 . 2008-03-10 19:37 <DIR> d-------- C:\Program Files\audiograbber
2008-03-10 16:14 . 2008-03-10 16:14 <DIR> d-------- C:\Program Files\Opera
2008-03-10 16:10 . 2008-03-10 16:13 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-03-10 16:04 . 2008-03-10 16:04 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-10 14:08 . 2008-03-10 15:58 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-10 14:08 . 2008-03-10 14:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-10 11:30 . 2008-03-10 16:10 5,186 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-03-10 01:03 . 2004-08-07 01:17 68,608 --a------ C:\WINDOWS\system32\plugin.ocx
2008-03-10 01:03 . 2004-08-07 01:17 68,608 --a------ C:\WINDOWS\system32\dllcache\plugin.ocx
2008-03-10 01:01 . 2008-03-10 01:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-10 00:27 . 2006-12-19 09:53 1,872,821 --a------ C:\WINDOWS\system32\cygwin1.dll
2008-03-10 00:27 . 2006-10-17 22:29 487,479 --a------ C:\WINDOWS\system32\SkinMagic.dll
2008-03-10 00:27 . 2006-10-16 01:10 66,048 --a------ C:\WINDOWS\system32\cygz.dll
2008-03-09 22:45 . 2008-03-09 22:45 <DIR> d-------- C:\Program Files\Xvid
2008-03-09 22:45 . 2008-06-28 13:11 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-09 22:45 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-03-09 22:45 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2008-03-09 22:45 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2008-03-09 22:45 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2008-03-09 22:45 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
2008-03-09 22:45 . 2008-03-09 23:06 67 --a------ C:\WINDOWS\AoADVDRipper.INI
2008-03-09 17:51 . 2008-03-15 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-06 17:03 . 2008-03-06 17:03 54,784 --a------ C:\Documents and Settings\Miso\win.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 10:41 --------- d-----w C:\Documents and Settings\Miso\Application Data\gtk-2.0
2008-03-05 07:41 --------- d-----w C:\Program Files\Google
2008-03-01 11:05 --------- d-----w C:\Program Files\ESET
2008-02-28 13:51 --------- d-----w C:\Program Files\StrongDC++
2008-02-09 00:07 --------- d-----w C:\Documents and Settings\Miso\Application Data\Skype
2008-02-02 12:00 --------- d-----w C:\Documents and Settings\Miso\Application Data\BSplayer Pro
2008-01-30 16:26 --------- d-----w C:\Program Files\Picasa2
2008-01-30 14:23 --------- d-----w C:\Documents and Settings\Miso\Application Data\skypePM
2008-01-28 20:55 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-20 14:04 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-30 12:24 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-30 12:19 270,336 ----a-w C:\WINDOWS\system32\imon.dll
2007-12-30 11:54 45,056 ----a-w C:\WINDOWS\system32\acovcnt.exe
2007-12-28 15:19 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_12.27.51.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-26 06:15:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-27 11:46:38 4,366,336 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-03-27 11:46:38 69,632 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-26 06:15:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-27 11:46:33 4,366,336 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-03-27 11:46:33 69,632 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-03-25 11:23:54 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-27 11:45:40 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-25 11:23:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-27 11:45:40 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-25 11:23:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-27 11:45:40 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-28 15:30:38 41,034 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-28 12:15:20 41,034 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-28 15:30:38 314,706 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-28 12:15:20 314,706 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 17:31 630784]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2007-07-19 15:41 49520]
"ASUSTPE"="C:\WINDOWS\system32\ASUSTPE.exe" [2007-01-16 16:13 106496]
"ATKOSD2"="C:\Program Files\ATKOSD2\ATKOSD2.exe" [2007-07-03 10:48 7708672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-30 13:19 917504]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-05-30 21:31 98304]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-16 13:19 81920]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 08:27 61440]
"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2007-07-10 10:59 851968]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-16 13:19 8478720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomligg]
qomligg.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\StrongDC++\\StrongDC.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;C:\WINDOWS\System32\StkCSrv.exe [2007-04-19 06:42]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-02-16 08:50]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 04:04]
R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2007-01-15 14:37]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;C:\WINDOWS\system32\Drivers\StkCMini.sys [2007-06-06 10:40]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 14:50:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-03-27 14:51:16
ComboFix-quarantined-files.txt 2008-03-27 13:51:12
ComboFix2.txt 2008-03-25 11:30:13
Pre-Run: 19,871,731,712 bytes free
Post-Run: 19,859,976,192 bytes free









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:53:43, on 27. 3. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkCSrv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\system32\ASUSTPE.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ASUSTPE] C:\WINDOWS\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ACMON] "C:\Program Files\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} (Google Gadget Control) - http://dl.google.com/dl/desktop/nv/GoogleG...PluginIEWin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: qomligg - qomligg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkCSrv.exe

--
End of file - 6286 bytes

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 AM

Posted 30 March 2008 - 12:45 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\kgkltmwb.ini
C:\rvyvhncc.exe
C:\WINDOWS\system32\tvblmjlj.ini
C:\Documents and Settings\Miso\win.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomligg]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How's Opera today? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 MikHornet

MikHornet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 02 April 2008 - 05:23 AM

Hi again,

Thanks, I've done that, only it didn't ask to reboot after Combofix finished. But I guess it's ok, right? :thumbsup:
Opera seems ok, it's hard to say, but I might just swich back to Mozilla in case it would be faster. Anyway, that is not a big deal.
Below are both the logs. Oh, and btw I just wanted to mention that I will be out-of-town for a week, and I'm not sure if i'll have access to internet. So I hope the topic won't get deleted in case I won't reply for a a week or so..
Anyway thanks again for everything, I don't know how I would deal with this, if it woudn't have found this forum.





ComboFix 08-03-26.3 - Miso 2008-04-02 12:07:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.501 [GMT 2:00]
Running from: C:\Documents and Settings\Miso\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Miso\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Miso\win.exe
C:\rvyvhncc.exe
C:\WINDOWS\system32\kgkltmwb.ini
C:\WINDOWS\system32\tvblmjlj.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Miso\win.exe
C:\rvyvhncc.exe
C:\WINDOWS\system32\kgkltmwb.ini
C:\WINDOWS\system32\tvblmjlj.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-03-30 13:39 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-30 13:38 . 2008-03-30 13:39 <DIR> d-------- C:\Program Files\Java
2008-03-30 13:34 . 2008-03-30 13:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-30 01:28 . 2005-06-21 14:32 28,544 --a------ C:\WINDOWS\system32\drivers\callistx.sys
2008-03-27 14:10 . 2008-02-25 09:59 524,288 -r-h----- C:\F5N.BIN
2008-03-27 13:46 . 2008-03-27 13:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-23 13:29 . 2008-03-23 13:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 12:14 . 2008-03-23 12:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-19 18:27 . 2008-03-19 18:27 <DIR> d-------- C:\Documents and Settings\Miso\Application Data\PC Tools
2008-03-19 18:26 . 2008-04-02 12:02 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-03-19 18:26 . 2008-03-19 18:26 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-03-19 18:26 . 2008-03-19 18:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-19 18:26 . 2007-12-06 17:51 28,568 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2008-03-19 18:26 . 2007-12-06 17:51 21,912 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2008-03-19 18:26 . 2008-02-12 12:44 21,904 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2008-03-19 16:31 . 2008-03-19 16:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-19 16:31 . 2008-03-19 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-19 16:29 . 2008-03-19 16:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-10 20:36 . 2008-03-10 22:08 34 --a------ C:\WINDOWS\cdplayer.ini
2008-03-10 20:07 . 2008-03-10 20:37 <DIR> d-------- C:\Program Files\audiograbber
2008-03-10 17:14 . 2008-03-10 17:14 <DIR> d-------- C:\Program Files\Opera
2008-03-10 17:10 . 2008-03-10 17:13 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-03-10 17:04 . 2008-03-10 17:04 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-10 15:08 . 2008-03-10 16:58 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-10 15:08 . 2008-03-10 15:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-10 12:30 . 2008-03-10 17:10 5,186 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-03-10 02:03 . 2004-08-07 02:17 68,608 --a------ C:\WINDOWS\system32\plugin.ocx
2008-03-10 02:03 . 2004-08-07 02:17 68,608 --a------ C:\WINDOWS\system32\dllcache\plugin.ocx
2008-03-10 02:01 . 2008-03-10 02:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-10 01:27 . 2006-12-19 10:53 1,872,821 --a------ C:\WINDOWS\system32\cygwin1.dll
2008-03-10 01:27 . 2006-10-17 23:29 487,479 --a------ C:\WINDOWS\system32\SkinMagic.dll
2008-03-10 01:27 . 2006-10-16 02:10 66,048 --a------ C:\WINDOWS\system32\cygz.dll
2008-03-09 23:45 . 2008-03-09 23:45 <DIR> d-------- C:\Program Files\Xvid
2008-03-09 23:45 . 2008-04-02 12:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-09 23:45 . 2007-06-28 19:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-03-09 23:45 . 2002-07-17 10:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2008-03-09 23:45 . 2002-07-17 09:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2008-03-09 23:45 . 2002-07-17 17:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2008-03-09 23:45 . 2002-07-17 17:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
2008-03-09 23:45 . 2008-03-10 00:06 67 --a------ C:\WINDOWS\AoADVDRipper.INI
2008-03-09 18:51 . 2008-03-15 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 23:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 23:28 --------- d-----w C:\Program Files\Atheros
2008-03-28 10:41 --------- d-----w C:\Documents and Settings\Miso\Application Data\gtk-2.0
2008-03-05 07:41 --------- d-----w C:\Program Files\Google
2008-03-01 11:05 --------- d-----w C:\Program Files\ESET
2008-02-28 13:51 --------- d-----w C:\Program Files\StrongDC++
2008-02-09 00:07 --------- d-----w C:\Documents and Settings\Miso\Application Data\Skype
2008-02-02 12:00 --------- d-----w C:\Documents and Settings\Miso\Application Data\BSplayer Pro
2008-01-20 14:04 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_12.27.51.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-03-26 06:15:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-27 11:46:38 4,366,336 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-03-27 11:46:38 69,632 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-26 06:15:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-27 11:46:33 4,366,336 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-03-27 11:46:33 69,632 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2000-08-31 07:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-03-25 11:23:54 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-27 11:45:40 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-25 11:23:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-27 11:45:40 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-25 11:23:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-27 11:45:40 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-04-05 06:19:20 546,112 ----a-w C:\WINDOWS\system32\drivers\ar5211.sys
+ 2007-05-02 18:00:58 546,976 ----a-w C:\WINDOWS\system32\drivers\ar5211.sys
+ 2008-02-21 23:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-21 23:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 00:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-01-28 15:30:38 41,034 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-30 11:15:41 41,034 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-28 15:30:38 314,706 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-30 11:15:41 314,706 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 07:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 06:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 16:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 23:55 54832]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 18:31 630784]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2007-07-19 16:41 49520]
"ASUSTPE"="C:\WINDOWS\system32\ASUSTPE.exe" [2007-01-16 17:13 106496]
"ATKOSD2"="C:\Program Files\ATKOSD2\ATKOSD2.exe" [2007-07-03 11:48 7708672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-30 14:19 917504]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-05-30 22:31 98304]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-16 14:19 81920]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 09:27 61440]
"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2007-07-10 11:59 851968]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 10:37 1238928]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-16 14:19 8478720]
"INPROCOMMWireless"="C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:56 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\StrongDC++\\StrongDC.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;C:\WINDOWS\System32\StkCSrv.exe [2007-04-19 07:42]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-02-16 09:50]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 05:04]
R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2007-01-15 15:37]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;C:\WINDOWS\system32\Drivers\StkCMini.sys [2007-06-06 11:40]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 20:52]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 12:09:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-04-02 12:10:30
ComboFix-quarantined-files.txt 2008-04-02 10:10:19
ComboFix2.txt 2008-03-27 13:51:17
ComboFix3.txt 2008-03-25 11:30:13
Pre-Run: 21,849,489,408 bytes free
Post-Run: 21,836,115,968 bytes free







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13, on 2008-04-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkCSrv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\system32\ASUSTPE.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ASUSTPE] C:\WINDOWS\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ACMON] "C:\Program Files\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [INPROCOMMWireless] C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} (Google Gadget Control) - http://dl.google.com/dl/desktop/nv/GoogleG...PluginIEWin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkCSrv.exe

--
End of file - 6829 bytes

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 AM

Posted 02 April 2008 - 09:38 AM

Hello,

I don't think we need to worry about dragging this out for a week. Everything looks all right from here, and if you say it looks all right from there, then I believe we're done here. :thumbsup:

I am a bit worried about one thing, and that's that I see 2 AntiVirus Programs on your system, NOD32 and PC Tools. When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable or uninstall the other one, and use it as an on demand only scan occasionally.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 MikHornet

MikHornet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 03 April 2008 - 07:20 AM

Hi,

so that was really a great news, thank you. From here, it all looks alright, except the computer still seems a little slow on the startup, but I guess it might be due to a large number of applications I've installed, is that possible?
As to the antivirus issue - I will defenitely keep just one of them, do you think NOD32 is the better option? I have used this one for a longer time before, and only installed the PC Tools after I found the infection. But NOD didn't recognized anything was wrong at any time, while having the malware infection.
I also have AdAware as an on-demand scanner, is that ok, or could it also interfere with an antivirus? Do do you think a good combination would be NOD + AdAware + one of the firewalls you've mentioned + one of the antispyware programmes? And I have one last, kind of an akward question: I don't have a legal copy of Windows at the moment - is it still ok to turn on the automatic updates, or could it cause any problems?
Thank you so much for all the help, it is incredible to find someone so helpful as you. I will definitelly recommend this site fo my friends.
take care,

Michal

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 AM

Posted 03 April 2008 - 09:15 AM

Hello Michal,

Do do you think a good combination would be NOD + AdAware + one of the firewalls you've mentioned + one of the antispyware programmes?

Yes I do. :wacko:

I don't have a legal copy of Windows at the moment - is it still ok to turn on the automatic updates, or could it cause any problems?

Uh oh! :blink: I don't know.....depends on how good or how bad your copy is. :thumbsup: Try it. Get legal!

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 MikHornet

MikHornet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 10 April 2008 - 03:29 PM

Thanks again for everything, for all the help and advice. I don't know what i would have done without it.
Take care,

Miso

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 AM

Posted 10 April 2008 - 03:44 PM

You're most welcome! Posted Image

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users