Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bagle Trojan Problem


  • This topic is locked This topic is locked
3 replies to this topic

#1 leeisl

leeisl

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 02 May 2008 - 01:30 PM

Hello,

A day or two ago my computer was infected with the Bagle trojan, I thought I had removed it with ComboFix but every time I reboot my computer some traces of it pop up again so I think that is still some unmoved bits left. Will appreciate help in removing any leftover infection.

HijackThis Log:
Deckard's System Scanner v20071014.68
Run by Leslie on 2008-05-03 04:26:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 11.57 GiB (less than 15%) free.


-- HijackThis (run as Leslie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:50 AM, on 3/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Leslie\Desktop\dss.exe
C:\DOCUME~1\Leslie\Desktop\Leslie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.135.145.204:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] c:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V12\Atlscript.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V12\Atlscript.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119776302343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1120665591437
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Unknown owner - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Confluent License Manager (ConfluentLM) - Unknown owner - C:\WINDOWS\system32\confluent_elmd.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 10790 bytes

-- Files created between 2008-04-03 and 2008-05-03 -----------------------------

2008-05-03 04:13:31 0 d-------- C:\WINDOWS\system32\drivers\downld
2008-05-03 03:43:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-03 03:43:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-03 03:19:37 0 d-------- C:\cmdcons
2008-05-03 03:04:03 68096 --a------ C:\WINDOWS\zip.exe
2008-05-03 03:04:03 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-03 03:04:02 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-03 03:04:02 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-03 03:04:02 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-03 03:04:02 98816 --a------ C:\WINDOWS\sed.exe
2008-05-03 03:04:02 80412 --a------ C:\WINDOWS\grep.exe
2008-05-03 03:04:02 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-03 02:25:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 03:18:10 0 d-------- C:\Documents and Settings\Leslie\vpworkspace
2008-05-02 03:17:40 0 d-------- C:\Documents and Settings\Leslie\.vplls
2008-05-02 00:21:21 0 d-------- C:\Program Files\Panda Security
2008-05-01 23:13:26 0 d-------- C:\Documents and Settings\Leslie\Application Data\Effexis Software
2008-05-01 23:13:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Effexis Software
2008-04-29 21:41:38 0 d-------- C:\Documents and Settings\Leslie\Application Data\vlc
2008-04-29 18:24:54 0 d-------- C:\Program Files\VideoLAN
2008-04-29 01:35:30 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-29 01:33:15 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-25 15:07:20 0 d-------- C:\Program Files\Sun
2008-04-25 15:04:10 0 d-------- C:\Program Files\Java
2008-04-25 15:03:58 0 d-------- C:\Program Files\Common Files\Java
2008-04-13 21:53:56 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-04-13 21:53:56 2085376 --a------ C:\WINDOWS\system32\x264vfw.dll
2008-04-13 21:53:56 630784 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-04-13 21:53:56 39936 --a------ C:\WINDOWS\system32\huffyuv.dll <Not Verified; Disappearing Inc.; Huffyuv>
2008-04-13 21:53:55 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-13 21:53:55 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-13 21:53:55 438272 --a------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
2008-04-13 21:53:54 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-04-13 21:53:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-04-13 21:53:52 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX>
2008-04-13 21:53:51 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-13 21:53:49 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-04-13 21:49:12 0 d-------- C:\Program Files\QT Lite
2008-04-13 21:47:32 0 d-------- C:\Program Files\Real Alternative
2008-04-13 21:47:32 0 d-------- C:\Documents and Settings\Leslie\Application Data\Real
2008-04-13 21:47:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
2008-04-13 21:46:54 159232 --a------ C:\WINDOWS\system\smackw32.dll
2008-04-13 21:46:54 350720 --a------ C:\WINDOWS\system\binkw32.dll
2008-04-13 21:46:54 0 d-------- C:\Program Files\RAD Game Tools Splitter
2008-04-10 13:06:28 8576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys <Not Verified; Microsoft Corporation; VirtualCdRom>
2008-04-06 01:14:57 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-06 01:01:39 0 d-------- C:\Program Files\CCleaner
2008-04-05 21:09:21 0 d-------- C:\Program Files\DAEMON Tools Lite


-- Find3M Report ---------------------------------------------------------------

2008-05-03 04:24:25 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-03 02:20:02 600 --a------ C:\Documents and Settings\Leslie\Application Data\winscp.rnd
2008-05-03 00:30:04 0 d-------- C:\Program Files\PeerGuardian2
2008-05-03 00:15:00 0 d-------- C:\Program Files\eMule
2008-05-03 00:14:41 0 d-------- C:\Documents and Settings\Leslie\Application Data\Azureus
2008-05-02 22:53:49 0 d-------- C:\Program Files\FlashGet
2008-05-02 22:53:46 0 d-------- C:\Program Files\Azureus
2008-05-02 00:06:52 0 d-------- C:\Program Files\Symantec
2008-05-02 00:06:42 0 d-------- C:\Program Files\Common Files
2008-05-02 00:06:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-01 22:14:20 0 d-------- C:\Program Files\DivX
2008-04-29 22:11:30 0 d-------- C:\Documents and Settings\Leslie\Application Data\foobar2000
2008-04-21 20:48:15 0 d-------- C:\Program Files\CDisplay
2008-04-13 21:49:12 0 d-------- C:\Documents and Settings\Leslie\Application Data\Apple Computer
2008-04-13 21:46:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-10 13:00:37 0 d-------- C:\Documents and Settings\Leslie\Application Data\Vso
2008-04-01 17:05:13 0 d-------- C:\Program Files\ATI Technologies
2008-03-31 02:53:44 0 d-------- C:\Documents and Settings\Leslie\Application Data\InstallShield
2008-03-20 15:29:09 0 d-------- C:\Program Files\Windows Live
2008-03-20 15:28:47 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-18 20:20:23 0 d-------- C:\Documents and Settings\Leslie\Application Data\Media Player Classic
2008-03-17 19:04:38 23 --a------ C:\WINDOWS\popcinfot.dat
2008-02-25 20:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [04/08/2004 12:56 AM C:\WINDOWS\system32\irprops.cpl]
"UC_Start"="C:\IBMTools\Updater\ucstartup.exe" [18/03/2003 08:27 AM]
"ibmmessages"="c:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [10/04/2003 01:03 PM]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 10:32 PM]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [29/08/2002 03:39 PM]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [29/08/2002 03:39 PM]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [29/08/2002 03:39 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [11/03/2003 04:24 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [07/03/2003 07:00 PM]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [19/07/2006 11:03 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [19/07/2006 11:03 AM C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [11/08/2006 02:56 PM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 02:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 09:16 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [21/01/2008 11:17 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/08/2005 09:00 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [18/08/2005 12:50 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [27/08/2006 07:03 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [01/04/2008 07:39 PM]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [10/04/2003 01:03 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"=MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [7/12/2006 9:02:17 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [09/10/2004 03:18 PM 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- Z:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27d9a395-1301-11db-9b92-00096b6f7d9e}]
AutoRun\command- G:\SETUP.EXE
setup\command- G:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-05-03 04:27:18 ------------

BC AdBot (Login to Remove)

 


#2 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:06:07 PM

Posted 23 May 2008 - 05:45 AM

Hi leeisl,

I'm sorry it's taken so long for you to get a response, if you still need help please do as follows:

Your machine is configured to use a web proxy which has a Chinese IP address, please tell me if you are aware of this and whether it is intentional.



Please download F-Secure Blacklight to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double click fsbl.exe to run it, choose I accept the agreement then press Scan
  • It will create the fsbl-xxxxxxx.log on your desktop containing a list of all items found.
  • Do not choose to rename any because legitimate items can also be present.
  • Exit Blacklight and post the contents of the log in your next reply.

Then create a new DSS reports:
  • Make sure DSS.exe is on your Desktop, if you need to download it again you can get it from here
  • Next press Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /config

  • Press OK to the disclaimer(s) and a configuration box will appear
  • Place checkmarks in all the boxes under Main Log and Extra Log then press Scan!
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply
Once complete, please post the Blacklight log and both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
Teacher at Malware Removal University | ASAP & UNITE Member

#3 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:06:07 PM

Posted 26 May 2008 - 05:49 AM

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.
Teacher at Malware Removal University | ASAP & UNITE Member

#4 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:06:07 PM

Posted 28 May 2008 - 08:25 PM

Due to lack of response, this thread will now be closed.

If you are the topic starter and would like this topic reopened, please PM a staff member with a link to this thread and we will reopen it for you. Anyone else who needs assistance should begin a new topic.
Teacher at Malware Removal University | ASAP & UNITE Member




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users