Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, Spent Whole Day Cleaning, Please Review Logs


  • This topic is locked This topic is locked
2 replies to this topic

#1 TheSacredSoul

TheSacredSoul

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 29 April 2008 - 04:45 AM

Hey guys. I woke up to an extremely unresponsive Firefox with loads of popups. Same goes for IE 7. So I ran the usual AV products. Spyware Doctor and NOD32. Deleted all entries they found. But the problem was still present. So I used MalwareBytes Anti Malware and deleted all the 5 entries it found. The malware was still present after a reboot. So ran HijackThis, ComboFix and then Hijackthis for the last time.

First HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:45 PM, on 29/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\vVX1000.exe
C:\Program Files\cFosSpeed\cfosspeed.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Brandon Paddock\Start++\Start++.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Shanker\Desktop\VundoFix.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Shanker\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\Windows\vVX1000.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Start++] "C:\Program Files\Brandon Paddock\Start++\Start++.exe" /startup
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [BMdb595955] Rundll32.exe "C:\Users\Shanker\AppData\Local\Temp\mwktinon.dll",s
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Shanker\AppData\Local\Temp\mlJyWNHW.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Shanker\AppData\Local\Temp\mlJYpOGV.dll,#1
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: SetPointII.lnk = ?
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{06A72CBA-70DB-4642-A79B-9BFF45051754}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{06A72CBA-70DB-4642-A79B-9BFF45051754}: NameServer = 208.67.222.222,208.67.220.220
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 7016 bytes




This is the ComboFix Log:

ComboFix 08-04-28.2 - Shanker 2008-04-29 17:25:43.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1218 [GMT 8:00]
Running from: C:\Users\Shanker\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\hGvuUKCt.dll
C:\Windows\system32\kHAPihih.dll
C:\Windows\system32\mLEXpPJc.dll
C:\Windows\system32\vtUmKDWQ.dll
C:\Windows\system32\yATjkkKE.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-29 17:06 . 2008-04-29 17:08 <DIR> d-------- C:\ComboFix(27)
2008-04-29 16:23 . 2008-04-29 16:23 <DIR> d-------- C:\VundoFix Backups
2008-04-29 15:19 . 2008-04-29 15:34 <DIR> d-------- C:\Windows\System32\HouseCall 6.6
2008-04-29 15:19 . 2008-04-29 15:21 <DIR> d-------- C:\Users\Shanker\AppData\Roaming\HouseCall 6.6
2008-04-29 15:19 . 2007-12-24 17:37 138,384 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-04-29 14:57 . 2008-04-29 14:57 <DIR> d-------- C:\Users\Shanker\AppData\Roaming\Malwarebytes
2008-04-29 14:56 . 2008-04-29 14:56 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-29 14:56 . 2008-04-29 14:56 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-29 14:56 . 2008-04-29 14:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 14:12 . 2008-04-29 14:12 <DIR> d-------- C:\Users\All Users\avg8
2008-04-29 14:12 . 2008-04-29 14:12 <DIR> d-------- C:\ProgramData\avg8
2008-04-29 14:12 . 2008-04-29 14:12 <DIR> d-------- C:\Program Files\AVG
2008-04-29 13:58 . 2008-04-29 13:58 <DIR> d-------- C:\Program Files\Java
2008-04-29 13:56 . 2008-04-29 13:56 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-29 13:11 . 2008-04-29 13:11 <DIR> d-------- C:\Users\Shanker\AppData\Roaming\TuneUp Software
2008-04-29 11:37 . 2008-04-29 11:37 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-29 11:37 . 2008-04-29 11:37 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-04-29 11:35 . 2008-04-29 11:35 <DIR> d-------- C:\Users\Shanker\AppData\Roaming\SUPERAntiSpyware.com
2008-04-29 11:35 . 2008-04-29 11:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 11:22 . 2008-04-29 11:28 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-29 11:22 . 2008-04-29 11:28 <DIR> d-------- C:\ProgramData\Lavasoft
2008-04-29 11:22 . 2008-04-29 11:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-29 11:11 . 2008-04-29 11:25 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-29 11:11 . 2008-04-29 11:25 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-29 11:11 . 2008-04-29 11:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-29 03:00 . 2008-04-29 03:00 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-29 01:36 . 2008-04-29 01:36 <DIR> d-------- C:\Program Files\WinSCP
2008-04-29 01:16 . 2008-04-29 01:16 <DIR> d-------- C:\Program Files\RivaTuner v2.08
2008-04-28 23:18 . 2008-04-28 23:18 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-28 23:15 . 2008-04-29 03:02 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-04-28 23:15 . 2008-04-29 03:02 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-04-28 21:02 . 2004-08-04 08:00 506,368 --a------ C:\Windows\System32\msxml.dll
2008-04-28 21:02 . 2008-04-28 21:02 51,355 --a------ C:\Windows\System32\muzika.xm
2008-04-28 20:52 . 2008-04-28 20:52 <DIR> d-------- C:\Program Files\CCleaner
2008-04-28 20:15 . 2003-12-09 10:04 10,368 --a------ C:\Windows\System32\drivers\rramdisk.sys
2008-04-28 18:20 . 2008-04-28 18:20 <DIR> d-------- C:\Program Files\Common Files\Steam
2008-04-28 18:14 . 2008-04-28 18:14 <DIR> d-------- C:\Users\Shanker\AppData\Roaming\vlc
2008-04-28 18:13 . 2008-04-28 18:13 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-28 17:59 . 2008-04-28 17:59 <DIR> d-------- C:\Program Files\VistaCodecPack
2008-04-28 16:53 . 2008-04-28 16:53 <DIR> d-------- C:\Users\Shanker\AppData\Roaming\PC Tools
2008-04-28 16:53 . 2008-04-29 16:39 <DIR> d-a------ C:\Users\All Users\TEMP
2008-04-28 16:53 . 2008-04-29 16:39 <DIR> d-a------ C:\ProgramData\TEMP
2008-04-28 16:53 . 2008-04-29 14:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-28 16:53 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-04-28 16:53 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-04-28 16:53 . 2007-12-10 14:53 41,864 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-04-28 16:53 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-04-28 14:15 . 2008-04-28 14:15 <DIR> d-------- C:\Users\All Users\DFX
2008-04-28 14:15 . 2008-04-28 14:15 <DIR> d-------- C:\ProgramData\DFX
2008-04-28 14:15 . 2008-04-28 14:15 <DIR> d-------- C:\Program Files\DFX
2008-04-28 14:01 . 2008-04-28 14:01 <DIR> d-------- C:\Users\All Users\SRS Labs
2008-04-28 14:01 . 2008-04-28 14:01 <DIR> d-------- C:\ProgramData\SRS Labs
2008-04-28 14:00 . 2008-04-28 14:00 <DIR> d-------- C:\Program Files\SRS Labs
2008-04-28 14:00 . 2007-07-26 09:25 47,360 --a------ C:\Windows\System32\drivers\Surroundhp_kern_i386.sys
2008-04-28 14:00 . 2007-07-26 09:25 47,104 --a------ C:\Windows\System32\drivers\tshd4_kern_i386.sys
2008-04-28 14:00 . 2007-07-26 09:25 42,112 --a------ C:\Windows\System32\drivers\csiidecoder_kern_i386.sys
2008-04-28 14:00 . 2007-07-26 09:25 39,808 --a------ C:\Windows\System32\drivers\SRS_SSCFilter_i386.sys
2008-04-28 14:00 . 2007-07-26 09:25 32,000 --a------ C:\Windows\System32\drivers\wowhd_kern_i386.sys
2008-04-28 13:59 . 2008-03-03 14:25 5,702 --ah----- C:\Windows\nod32restoretemdono.reg
2008-04-28 13:59 . 2008-03-03 18:21 568 --ah----- C:\Windows\nod32fixtemdono.reg
2008-04-28 13:58 . 2008-04-28 13:58 <DIR> d-------- C:\Users\All Users\ESET
2008-04-28 13:58 . 2008-04-28 13:58 <DIR> d-------- C:\ProgramData\ESET
2008-04-28 13:58 . 2008-04-28 13:58 <DIR> d-------- C:\Program Files\ESET
2008-04-28 13:42 . 2008-04-28 12:49 <DIR> d-------- C:\Windows\Panther
2008-04-28 13:39 . 2008-04-28 13:39 <DIR> d-------- C:\Program Files\ZincPlay
2008-04-28 13:34 . 2008-04-29 14:50 <DIR> d-------- C:\Windows.old
2008-04-28 13:29 . 2008-02-07 17:10 <DIR> d--h----- C:\ckis
2008-04-28 12:52 . 2008-04-28 12:52 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-28 12:51 . 2008-04-28 21:00 <DIR> d-------- C:\Windows\Debug
2008-04-28 12:51 . 2008-04-28 12:51 <DIR> d-------- C:\Users\All Users\Kaspersky Lab Setup Files
2008-04-28 12:51 . 2008-04-28 12:51 <DIR> d-------- C:\ProgramData\Kaspersky Lab Setup Files
2008-04-28 12:44 . 2008-04-29 17:27 <DIR> d-------- C:\Program Files\cFosSpeed
2008-04-28 12:44 . 2008-02-14 18:27 715,992 -ra------ C:\Windows\System32\drivers\cfosspeed.sys
2008-04-28 12:44 . 2008-02-14 18:27 285,912 --a------ C:\Windows\System32\cfosspeed.dll
2008-04-28 12:21 . 2008-04-28 12:25 <DIR> d-------- C:\Users\Shanker\AppData\Roaming\Canon
2008-04-28 12:20 . 2008-04-28 12:20 <DIR> d-------- C:\Program Files\Canon
2008-04-28 12:20 . 2008-04-28 12:20 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-04-28 12:18 . 2008-04-28 12:18 <DIR> d--h----- C:\Windows\System32\CanonIJ Uninstaller Information
2008-04-28 12:18 . 2008-04-28 12:18 <DIR> d--h----- C:\Users\All Users\CanonBJ
2008-04-28 12:18 . 2008-04-28 12:18 <DIR> d--h----- C:\ProgramData\CanonBJ
2008-04-28 12:17 . 2008-04-28 12:17 <DIR> d--h----- C:\Program Files\CanonBJ
2008-04-28 12:17 . 2007-03-23 16:30 1,400,832 --a------ C:\Windows\System32\CNC220C.DLL
2008-04-28 12:17 . 2008-02-06 05:00 216,064 --a------ C:\Windows\System32\CNMLM8T.DLL
2008-04-28 12:17 . 2007-03-19 10:18 200,704 --a------ C:\Windows\System32\CNC220L.DLL
2008-04-28 12:17 . 2007-03-15 14:12 188,416 --a------ C:\Windows\System32\CNC220O.DLL
2008-04-28 12:17 . 2007-03-23 16:29 98,304 --a------ C:\Windows\System32\CNC220I.DLL
2008-04-28 12:11 . 2008-04-28 12:11 <DIR> d-------- C:\Program Files\BitLocker
2008-04-28 12:11 . 2007-02-22 10:26 1,171,848 --a------ C:\Windows\System32\SecureKeyBackupCPL.dll
2008-04-28 12:11 . 2007-07-20 07:55 233,888 --a------ C:\Windows\System32\DreamScene.dll
2008-04-28 12:11 . 2006-12-21 08:58 711 --a------ C:\Windows\System32\CPSOKBTasks.xml
2008-04-28 01:54 . 2008-04-28 14:22 <DIR> d-------- C:\Windows\System32\RTCOM
2008-04-28 01:54 . 2008-04-28 01:54 <DIR> d-------- C:\Program Files\Yamicsoft
2008-04-28 01:53 . 2008-04-16 14:28 2,172,416 --a------ C:\Windows\System32\RtkAPO.dll
2008-04-28 01:53 . 2008-04-02 09:27 1,196,032 --a------ C:\Windows\RtlUpd.exe
2008-04-28 01:53 . 2008-04-28 14:22 319,456 --a------ C:\Windows\DIFxAPI.dll
2008-04-28 01:53 . 2008-04-28 01:53 315,392 --a------ C:\Windows\HideWin.exe
2008-04-28 01:53 . 2008-04-03 16:51 31,232 --a------ C:\Windows\System32\RtkCoInst.dll
2008-04-28 01:43 . 2008-04-28 01:43 <DIR> d-------- C:\Program Files\Intel
2008-04-28 01:43 . 2008-04-28 14:22 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-28 01:43 . 2007-07-26 16:15 53,248 --a------ C:\Windows\System32\CSVer.dll
2008-04-28 01:40 . 2008-04-28 01:42 <DIR> d-------- C:\Program Files\Driver Magician
2008-04-28 01:40 . 2004-03-09 00:00 1,081,616 --a------ C:\Windows\System32\Mscomctl.ocx
2008-04-28 01:40 . 2004-09-28 11:13 526,184 --a------ C:\Windows\System32\XceedCry.dll
2008-04-28 01:40 . 2005-01-12 11:19 456,536 --a------ C:\Windows\System32\XCEEDZIP.DLL
2008-04-28 01:40 . 2004-03-09 00:00 224,016 --a------ C:\Windows\System32\Tabctl32.ocx
2008-04-28 01:40 . 2004-03-09 00:00 152,848 --a------ C:\Windows\System32\Comdlg32.ocx
2008-04-28 01:40 . 2004-03-09 00:00 132,880 --a------ C:\Windows\System32\Msinet.ocx
2008-04-28 01:40 . 2004-08-11 15:55 110,602 --a------ C:\Windows\System32\xcdsfx32.bin
2008-04-28 01:34 . 2008-04-28 01:34 <DIR> d-------- C:\Windows\System32\Macromed
2008-04-28 01:14 . 2008-04-28 01:14 <DIR> d-------- C:\Windows\WinRAR
2008-04-28 00:38 . 2008-04-28 00:54 <DIR> d----c--- C:\Windows\System32\DRVSTORE
2008-04-28 00:38 . 2008-04-28 00:38 <DIR> d-------- C:\Users\All Users\Raxco
2008-04-28 00:38 . 2008-04-28 00:38 <DIR> d-------- C:\ProgramData\Raxco
2008-04-28 00:38 . 2008-04-28 00:38 <DIR> d-------- C:\Program Files\Raxco
2008-04-27 23:30 . 2008-04-27 23:30 <DIR> d-------- C:\Program Files\Brandon Paddock
2008-04-27 22:53 . 2008-04-27 22:53 <DIR> d-------- C:\Program Files\Microsoft LifeCam
2008-04-27 22:53 . 2006-09-28 16:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-04-27 22:53 . 2008-04-27 22:52 729,088 --a------ C:\Windows\iun6002.exe
2008-04-27 22:53 . 2006-09-28 16:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-04-27 22:53 . 2006-07-28 09:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-04-27 22:53 . 2006-09-28 16:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-04-27 22:53 . 2006-07-28 09:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-04-27 22:53 . 2006-09-28 16:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-04-27 22:52 . 2005-05-26 15:34 2,297,552 --a------ C:\Windows\System32\d3dx9_26.dll
2008-04-27 22:43 . 2008-04-27 22:50 139,264 --a------ C:\Windows\War3Unin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 15:23 --------- d-----w C:\Program Files\MSBuild
2008-04-28 10:21 --------- d-----w C:\Program Files\Steam
2008-04-28 04:10 --------- d-----w C:\Program Files\Microsoft Games
2008-04-27 14:04 --------- d-----w C:\Program Files\Windows Mail
2008-03-06 22:29 966,656 ----a-w C:\Windows\System32\VSFilter.dll
2008-01-21 02:41 174 --sha-w C:\Program Files\desktop.ini
.
<pre>
----a-w		 7,019,335 2008-04-21 13:52:42  C:\Windows.old\Documents and Settings\Shanker\My Documents\Downloads\Download Accelerator Plus 8.6.1.4 Final\DAP Premium .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Start++"="C:\Program Files\Brandon Paddock\Start++\Start++.exe" [2008-04-26 14:36 570880]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2007-10-26 16:04 4354048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-21 10:21 1008184]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-03-24 19:52 13531680]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-03-24 19:52 92704]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-07-17 17:39 55824 C:\Windows\KHALMNPR.Exe]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 14:45 279912]
"VX1000"="C:\Windows\vVX1000.exe" [2007-04-10 14:46 709992]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2008-02-14 18:27 863448]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"RegistryMechanic"="" []
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]

C:\Users\Shanker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [4/27/2008 10:40:45 PM 546816]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SetPointII.lnk - C:\Program Files\Logitech\SetPoint II\SetpointII.exe [8/30/2007 6:13:06 PM 319488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-133699762-1143349623-1838495381-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{3A3C4496-776D-45BC-9BF1-FA5CB3752FCD}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{6354ADA0-9238-4FD3-ABFC-59DD84AD5562}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{2CFDB37E-3576-403F-88A8-8EB87475DEC0}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AA8E9DBE-755E-46D9-AB5F-DB2ACB89D8FB}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{F840C555-3493-4601-9601-1CD1B0A8D0B4}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{B74B90CF-09E5-4711-846C-F1F3D6686DD7}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{BE59E1B4-511A-43B8-B2B9-1231343398AB}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 RRamdisk;Ramdisk Driver;C:\Windows\system32\DRIVERS\rramdisk.sys [2003-12-09 10:04]
R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 14:45]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-04-16 13:00]
R3 RecFltr;Reclusa Keyboard;C:\Windows\system32\Drivers\RecFltr.sys [2007-01-18 09:21]
R3 VX1000;VX-1000;C:\Windows\system32\DRIVERS\VX1000.sys [2007-04-10 14:46]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\Windows\system32\regedt32.exe [2006-11-02 17:45]
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-04-16 13:00]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-14 19:32]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-21 10:21]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-21 10:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 17:27:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-29 17:27:49
ComboFix-quarantined-files.txt 2008-04-29 09:27:46
ComboFix2.txt 2008-04-29 09:08:34
ComboFix3.txt 2008-04-29 08:52:56
ComboFix4.txt 2008-04-29 08:44:37

Pre-Run: 69,464,858,624 bytes free
Post-Run: 69,472,964,608 bytes free

230 --- E O F --- 2008-04-28 12:49:54




Lastly, the final HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:21 PM, on 29/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\vVX1000.exe
C:\Program Files\cFosSpeed\cfosspeed.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Brandon Paddock\Start++\Start++.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Shanker\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\Windows\vVX1000.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Start++] "C:\Program Files\Brandon Paddock\Start++\Start++.exe" /startup
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: SetPointII.lnk = ?
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{06A72CBA-70DB-4642-A79B-9BFF45051754}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{06A72CBA-70DB-4642-A79B-9BFF45051754}: NameServer = 208.67.222.222,208.67.220.220
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 4668 bytes




Can anyone look through to see if there is still any malware left? My system seems to be back to normal and there isnt lag in browsers and no popups. But just to be sure, Im posting the log. Thanks guys!!

Edited by TheSacredSoul, 29 April 2008 - 04:48 AM.


BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:46 AM

Posted 09 May 2008 - 10:52 AM

Hello TheSacredSoul,

Welcome to Bleeping Computer :blink:

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:46 AM

Posted 19 May 2008 - 11:48 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users