Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection Fuzzy Algorithem Check?


  • This topic is locked This topic is locked
14 replies to this topic

#1 shahdad

shahdad

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 28 April 2008 - 03:41 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:21 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Shahab\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1200981727203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1200981682468
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: mlJDvurR - mlJDvurR.dll (file missing)
O21 - SSODL: zip - {873a129d-f584-4778-a7c6-8ee2fbea8c07} - (no file)
O21 - SSODL: ComponentChk - {f2614086-44a9-4df5-95cf-0d9acd2e3ea7} - (no file)
O21 - SSODL: alofkmn - {08D8031D-17BA-4360-A07B-31D08BE6FEE9} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6543 bytes

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 28 April 2008 - 04:41 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 shahdad

shahdad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 01 May 2008 - 02:03 PM

combofix log attached

thx

Attached Files



#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 02 May 2008 - 04:19 PM

Before we begin, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 shahdad

shahdad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 03 May 2008 - 05:50 PM

i followed the steps - installed the recovery console, disabled all firewalls and anti virus, re-scanned

new logged attached

thx

Attached Files



#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 04 May 2008 - 02:31 AM

And can I have a new HijackThis log as requested? Please don't attach the files, it is pointless and creates more work for us both.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 shahdad

shahdad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 04 May 2008 - 03:23 PM

Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:39 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1200981727203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1200981682468
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: mlJDvurR - mlJDvurR.dll (file missing)
O21 - SSODL: zip - {873a129d-f584-4778-a7c6-8ee2fbea8c07} - (no file)
O21 - SSODL: ComponentChk - {f2614086-44a9-4df5-95cf-0d9acd2e3ea7} - (no file)
O21 - SSODL: alofkmn - {08D8031D-17BA-4360-A07B-31D08BE6FEE9} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7467 bytes

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 06 May 2008 - 03:29 PM

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: mlJDvurR - mlJDvurR.dll (file missing)
O21 - SSODL: zip - {873a129d-f584-4778-a7c6-8ee2fbea8c07} - (no file)
O21 - SSODL: ComponentChk - {f2614086-44a9-4df5-95cf-0d9acd2e3ea7} - (no file)
O21 - SSODL: alofkmn - {08D8031D-17BA-4360-A07B-31D08BE6FEE9} - (no file)


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Reboot: IMPORTANT.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

In your reply I would like a new HijackThis log, Combofix log and the Panda report.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 shahdad

shahdad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 07 May 2008 - 03:23 PM

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:04 AM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\WgaTray.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1200981727203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1200981682468
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7010 bytes

Combofix log:

ComboFix 08-05-01.3 - Shahab 2008-05-07 13:02:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.112 [GMT -7:00]
Running from: C:\Documents and Settings\Shahab\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-07 00:41 . 2008-05-07 00:41 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-07 00:41 . 2008-05-07 00:41 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 13:45 . 2008-05-06 13:24 529 --a------ C:\hpfr5550.xml
2008-05-04 13:22 . 2008-05-04 13:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-02 10:40 . 2008-05-02 10:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-05-02 00:51 . 2008-05-02 00:51 <DIR> d-------- C:\Documents and Settings\Shahab\Application Data\Roxio
2008-05-02 00:49 . 2008-05-02 00:49 <DIR> d-------- C:\Documents and Settings\Shahab\Application Data\Research In Motion
2008-05-02 00:49 . 2008-05-02 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-02 00:49 . 2008-05-02 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-02 00:49 . 2008-05-03 15:20 256 --a------ C:\WINDOWS\system32\pool.bin
2008-05-02 00:44 . 2008-05-02 00:45 <DIR> d-------- C:\Program Files\Roxio
2008-05-02 00:44 . 2008-05-02 00:48 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-05-02 00:44 . 2008-05-02 00:45 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-05-02 00:44 . 2008-05-02 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-05-02 00:38 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-05-02 00:37 . 2008-05-02 00:37 <DIR> d-------- C:\Documents and Settings\Shahab\Application Data\Blackberry Desktop
2008-05-02 00:36 . 2008-05-02 00:36 <DIR> d-------- C:\Program Files\Research In Motion
2008-05-02 00:36 . 2008-05-02 00:36 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-05-01 22:41 . 2008-05-01 22:49 <DIR> d-------- C:\WINDOWS\Adapt Compact Bluetooth Keyboard
2008-04-28 01:20 . 2008-04-28 01:20 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-28 01:20 . 2008-04-28 01:20 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-26 14:08 . 2006-07-14 08:31 332,288 --a------ C:\WINDOWS\system32\dllcache\netapi32.dll
2008-04-26 13:40 . 2008-04-26 13:40 <DIR> d-------- C:\Documents and Settings\Shahab\Application Data\Uniblue
2008-04-25 11:35 . 2008-04-28 00:35 109,747 --a------ C:\WINDOWS\BM6340b7a5.xml
2008-04-24 19:03 . 2008-04-24 19:03 280 --ah----- C:\sqmdata13.sqm
2008-04-24 19:03 . 2008-04-24 19:03 244 --ah----- C:\sqmnoopt13.sqm
2008-04-24 14:08 . 2008-04-24 14:08 <DIR> d-------- C:\WINDOWS\system32\bharebio16
2008-04-24 14:08 . 2008-04-24 14:08 352,410 --a------ C:\WINDOWS\ope20D.exe
2008-04-24 14:08 . 2008-04-24 14:08 111,847 --a------ C:\WINDOWS\system32\ope214.exe
2008-04-24 14:08 . 2008-04-24 14:08 0 --a------ C:\WINDOWS\system32\ope214.tmp
2008-04-24 14:08 . 2008-04-24 14:08 0 --a------ C:\WINDOWS\system32\ope213.tmp
2008-04-24 14:08 . 2008-04-24 14:08 0 --a------ C:\WINDOWS\ope212.tmp
2008-04-24 14:08 . 2008-04-24 14:08 0 --a------ C:\WINDOWS\ope20D.tmp
2008-04-23 13:20 . 2008-04-23 13:20 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-20 00:36 . 2008-04-20 00:36 41 ---hs---- C:\Documents and Settings\All Users\Application Data\.zreglib
2008-04-20 00:35 . 2008-04-20 00:36 24 ---hs---- C:\WINDOWS\SEA82DF50.tmp
2008-04-19 18:37 . 2008-05-02 00:13 <DIR> d-------- C:\Documents and Settings\Shahab\Contacts
2008-04-19 11:49 . 2008-04-19 11:49 0 --a------ C:\WINDOWS\Irremote.ini
2008-04-13 19:15 . 2008-04-13 19:15 268 --ah----- C:\sqmdata12.sqm
2008-04-13 19:15 . 2008-04-13 19:15 244 --ah----- C:\sqmnoopt12.sqm
2008-04-08 15:47 . 2008-02-19 22:19 147,968 --a------ C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-04-08 15:47 . 2008-02-20 11:49 45,568 --a------ C:\WINDOWS\system32\dllcache\dnsrslvr.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 00:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 00:34 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-04 00:33 --------- d-----w C:\Program Files\Windows Live
2008-05-04 00:33 --------- d-----w C:\Program Files\DivX
2008-05-02 20:56 89,800 ----a-w C:\Documents and Settings\Shahab\Application Data\GDIPFONTCACHEV1.DAT
2008-05-02 07:44 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-26 20:09 2,412 ----a-w C:\WINDOWS\system32\tmp.reg
2008-04-24 21:05 --------- d-----w C:\Documents and Settings\Shahab\Application Data\uTorrent
2008-04-23 20:26 --------- d-----w C:\Program Files\QuickTax 2007
2008-04-19 18:52 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-19 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-11 23:03 --------- d-----w C:\Documents and Settings\Shahab\Application Data\Intuit Canada
2008-03-11 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-03-01 00:48 4,230,520 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-23 08:30 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-02-22 10:00 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-10 06:07 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-22 05:38 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-01-22 05:38 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-01-22 05:38 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat
2008-01-22 05:38 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-09 17:19 188416]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 06:06 124928 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe [2008-01-30 11:45:23 98304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys [2006-02-26 08:19]

*Newly Created Service* - RKPAVPROC
.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 07:34:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 13:04:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-07 13:05:25
ComboFix-quarantined-files.txt 2008-05-07 20:05:17

Pre-Run: 14,088,257,536 bytes free
Post-Run: 14,121,480,192 bytes free

141 --- E O F --- 2008-05-06 18:35:13

Panda report:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-07 11:59:47
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.3408.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[.com.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[.xiti.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[server.iad.liveperson.net/hc/19452074]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[server.iad.liveperson.net/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[.realmedia.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[.did-it.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Shahab\Application Data\Mozilla\Firefox\Profiles\cagbalki.default\cookies.txt[.atwola.com/]
00293079 Spyware/7r7t Spyware No 1 Yes No C:\WINDOWS\system32\ope214.exe
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{3154E711-9AD5-4FE0-B9E3-97309AE58F00}\RP11\A0002597.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{3154E711-9AD5-4FE0-B9E3-97309AE58F00}\RP10\A0002356.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{3154E711-9AD5-4FE0-B9E3-97309AE58F00}\RP10\A0002355.exe[327882R2FWJFW\NirCmdC.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location [s
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description [s
;===================================================================================================================================================================================
133387 MEDIUM MS06-065 [s
120823 MEDIUM MS06-030 [s
93454 MEDIUM MS05-049 [s
;===================================================================================================================================================================================

Edited by shahdad, 07 May 2008 - 03:24 PM.


#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 08 May 2008 - 04:15 PM

Hi again,
Let's clean out your temporary internet files:
Close all open windows before we start.
Go to Start | Control Panel | Internet Options | General.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK

If you have Firefox installed, we need to clean out these temporary files as well:
Go to Tools | Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Now we'll clean other temporary files and your Recycle Bin:
Go to Start | Run | type: cleanmgr | OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

Open Notepad - don't use any other text editor or the script will fail.
Copy and paste the text in the quote box below into the document:

File::
C:\sqmdata13.sqm
C:\sqmnoopt13.sqm
C:\WINDOWS\ope20D.exe
C:\WINDOWS\system32\ope214.exe
C:\WINDOWS\system32\ope214.tmp
C:\WINDOWS\system32\ope213.tmp
C:\WINDOWS\ope212.tmp
C:\WINDOWS\ope20D.tmp
C:\WINDOWS\SEA82DF50.tmp
C:\sqmdata12.sqm
C:\sqmnoopt12.sqm

Folder::
C:\WINDOWS\system32\bharebio16


Save this as txtfile CFScript .
Then drag the CFScript into ComboFix.exe as you see in the screenshot below:

Posted Image

This will start ComboFix again.
A new log will be created, which I would like to see in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 shahdad

shahdad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 08 May 2008 - 09:07 PM

ComboFix 08-05-01.3 - Shahab 2008-05-08 18:47:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.100 [GMT -7:00]
Running from: C:\Documents and Settings\Shahab\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shahab\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\WINDOWS\ope20D.exe
C:\WINDOWS\ope20D.tmp
C:\WINDOWS\ope212.tmp
C:\WINDOWS\SEA82DF50.tmp
C:\WINDOWS\system32\ope213.tmp
C:\WINDOWS\system32\ope214.exe
C:\WINDOWS\system32\ope214.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\WINDOWS\ope20D.exe
C:\WINDOWS\ope20D.tmp
C:\WINDOWS\ope212.tmp
C:\WINDOWS\SEA82DF50.tmp
C:\WINDOWS\system32\bharebio16
C:\WINDOWS\system32\bharebio16\bharebio162291.exe
C:\WINDOWS\system32\ope213.tmp
C:\WINDOWS\system32\ope214.exe
C:\WINDOWS\system32\ope214.tmp

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-07 00:41 . 2008-05-07 00:41 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-07 00:41 . 2008-05-07 00:41 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 13:45 . 2008-05-08 11:01 529 --a------ C:\hpfr5550.xml
2008-05-04 13:22 . 2008-05-04 13:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-02 10:40 . 2008-05-02 10:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-05-02 00:51 . 2008-05-02 00:51 <DIR> d-------- C:\Documents and Settings\Shahab\Application Data\Roxio
2008-05-02 00:49 . 2008-05-02 00:49 <DIR> d-------- C:\Documents and Settings\Shahab\Application Data\Research In Motion
2008-05-02 00:49 . 2008-05-02 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-02 00:49 . 2008-05-02 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-02 00:49 . 2008-05-03 15:20 256 --a------ C:\WINDOWS\system32\pool.bin
2008-05-02 00:44 . 2008-05-02 00:45 <DIR> d-------- C:\Program Files\Roxio
2008-05-02 00:44 . 2008-05-02 00:48 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-05-02 00:44 . 2008-05-02 00:45 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-05-02 00:44 . 2008-05-02 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-05-02 00:38 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-05-02 00:37 . 2008-05-02 00:37 <DIR> d-------- C:\Documents and Settings\Shahab\Application Data\Blackberry Desktop
2008-05-02 00:36 . 2008-05-02 00:36 <DIR> d-------- C:\Program Files\Research In Motion
2008-05-02 00:36 . 2008-05-02 00:36 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-05-01 22:41 . 2008-05-01 22:49 <DIR> d-------- C:\WINDOWS\Adapt Compact Bluetooth Keyboard
2008-04-28 01:20 . 2008-04-28 01:20 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-28 01:20 . 2008-04-28 01:20 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-26 14:08 . 2006-07-14 08:31 332,288 --a------ C:\WINDOWS\system32\dllcache\netapi32.dll
2008-04-26 13:40 . 2008-04-26 13:40 <DIR> d-------- C:\Documents and Settings\Shahab\Application Data\Uniblue
2008-04-25 11:35 . 2008-04-28 00:35 109,747 --a------ C:\WINDOWS\BM6340b7a5.xml
2008-04-23 13:20 . 2008-04-23 13:20 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-20 00:36 . 2008-04-20 00:36 41 ---hs---- C:\Documents and Settings\All Users\Application Data\.zreglib
2008-04-19 18:37 . 2008-05-02 00:13 <DIR> d-------- C:\Documents and Settings\Shahab\Contacts
2008-04-19 11:49 . 2008-04-19 11:49 0 --a------ C:\WINDOWS\Irremote.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 00:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 00:34 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-04 00:33 --------- d-----w C:\Program Files\Windows Live
2008-05-04 00:33 --------- d-----w C:\Program Files\DivX
2008-05-02 20:56 89,800 ----a-w C:\Documents and Settings\Shahab\Application Data\GDIPFONTCACHEV1.DAT
2008-05-02 07:44 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-26 20:09 2,412 ----a-w C:\WINDOWS\system32\tmp.reg
2008-04-24 21:05 --------- d-----w C:\Documents and Settings\Shahab\Application Data\uTorrent
2008-04-23 20:26 --------- d-----w C:\Program Files\QuickTax 2007
2008-04-19 18:52 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-19 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-11 23:03 --------- d-----w C:\Documents and Settings\Shahab\Application Data\Intuit Canada
2008-03-11 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-03-01 00:48 4,230,520 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-23 08:30 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-02-22 10:00 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:19 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-10 06:07 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-22 05:38 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-01-22 05:38 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-01-22 05:38 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat
2008-01-22 05:38 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-09 17:19 188416]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 06:06 124928 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe [2008-01-30 11:45:23 98304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys [2006-02-26 08:19]

*Newly Created Service* - RKPAVPROC
.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 06:01:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 18:48:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-08 18:49:54
ComboFix-quarantined-files.txt 2008-05-09 01:49:47
ComboFix2.txt 2008-05-07 20:05:26

Pre-Run: 14,123,827,200 bytes free
Post-Run: 14,114,717,696 bytes free

160 --- E O F --- 2008-05-06 18:35:13

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 10 May 2008 - 04:22 PM

How do things seem to be running now?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 shahdad

shahdad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 10 May 2008 - 11:25 PM

Everything seems to be running smoothly for now.

Thank you for your help!

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 11 May 2008 - 03:32 PM

Great job! Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Do not show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programmes:
Ad-Aware 2007
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 25 May 2008 - 03:28 PM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users