Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Undetermined Infection On Win2k Sp2 Box.


  • This topic is locked This topic is locked
4 replies to this topic

#1 Wizard's Apprentice

Wizard's Apprentice

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Britannia
  • Local time:01:36 PM

Posted 09 May 2008 - 10:26 AM

Great Day to you all! I have PC with an undetermined infection. I loaded threat monitor and it finds an unnamed keylogger, but when you click on it to see more it is shut down. I have had a few blue screens that mentioned a page fault error. Sorry I didn't capture the details on that one. I downloaded and ran DSS but I couldn't post to this forum yesterday as my PC would lose its connection to the internet just before the post was sent... :thumbsup: Here are the results:\

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 2046.61 MiB / 1510.3 MiB
Pagefile Memory (total/avail): 1893.58 MiB / 1532.6 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.93 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 74.5 GiB total, 69.4 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - Maxtor 6L080P0 - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Look 'n' Stop 2.06 (Soft4Ever) v2.06 (Soft4Ever)
AV: Bitdefender Antivirus v8.0 (Softwin)
AV: avast! antivirus 4.8.1169 [VPS 080508-0] v4.8.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PARADISESECTOR
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\PARADISESECTOR
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\DMIX
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 63 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=3f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=PARADISESECTOR
USERNAME=Julius
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Brutis
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ASUS_Ai_Proactive_Screensaver (E) --> C:\WINDOWS\ASUS_Ai_Proactive_Screensaver (E).scr /u
AsusUpdate --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ASUS\AsusUpdate\Uninst.isu"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BitDefender Definitions Update --> MsiExec.exe /X{85EC78AE-3B96-4334-A2AD-BC0112C46B22}
BitDefender Free Edition v10 --> MsiExec.exe /I{BDF62CC9-FE60-4F9D-8194-8EB7E6E1412D}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
EULAlyzer v1.2 --> "C:\Program Files\EULAlyzer\unins000.exe"
Hidden Finder 1.4.0 --> "C:\Program Files\HiddenFinder\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® PRO Network Connections 12.2.41.0 --> MsiExec.exe /i{BBBF4CFE-9D26-4D93-A869-B2B021B3CA85} ARPREMOVE=1
Look 'n' Stop 2.06 --> "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -uninst
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Essentials --> MsiExec.exe /I{A79A8EC1-2D17-43D2-AE27-6C1131F61033}
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
PC Probe II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
Roxio Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
ThreatMon 1.1 --> "C:\Program Files\ThreatMon\unins000.exe"
TrueCrypt --> "C:\Program Files\TrueCrypt\TrueCrypt Setup.exe" /u C:\Program Files\TrueCrypt\
UnHackMe 3.1 release --> "C:\Program Files\UnHackMe\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type548 / Error
Event Submitted/Written: 05/08/2008 06:10:22 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application threatmon.exe, version 1.0.0.1, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x0000e899.
Processing media-specific event for [threatmon.exe!ws!]

Event Record #/Type547 / Error
Event Submitted/Written: 05/08/2008 06:02:50 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application threatmon.exe, version 1.0.0.1, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x0000e899.
Processing media-specific event for [threatmon.exe!ws!]

Event Record #/Type544 / Error
Event Submitted/Written: 05/07/2008 00:55:45 AM
Event ID/Source: 1 / nview_info
Event Description:
NVIEW : UnHackMe: WAIT_TIMEOUT, while waiting for a read to clear - resetting read event

Event Record #/Type543 / Error
Event Submitted/Written: 05/07/2008 00:54:33 AM
Event ID/Source: 1 / nview_info
Event Description:
NVIEW : UnHackMe: WAIT_TIMEOUT, while waiting for a read to clear - resetting read event

Event Record #/Type542 / Error
Event Submitted/Written: 05/07/2008 00:48:59 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application threatmon.exe, version 1.0.0.1, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x0000e899.
Processing media-specific event for [threatmon.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2308 / Error
Event Submitted/Written: 05/08/2008 05:56:28 PM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type2296 / Error
Event Submitted/Written: 05/08/2008 05:48:58 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDRsDrv service failed to start due to the following error:
%%2

Event Record #/Type2295 / Error
Event Submitted/Written: 05/08/2008 05:48:58 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDFsDrv service failed to start due to the following error:
%%2

Event Record #/Type2283 / Error
Event Submitted/Written: 05/08/2008 05:47:22 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type2282 / Error
Event Submitted/Written: 05/08/2008 05:34:27 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
AsIO
aswSP
aswTdi
Fips
IPSec
lnsfw1
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip
truecrypt



-- End of Deckard's System Scanner: finished at 2008-05-08 18:11:56 ------------


(Main)

Deckard's System Scanner v20071014.68
Run by Julius on 2008-05-08 18:09:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-05-08 23:10:02 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2008-05-06 21:18:15 UTC - RP8 - Restore Operation
7: 2008-05-04 06:29:12 UTC - RP7 - Installed BitDefender Definitions Update
6: 2008-05-03 22:20:02 UTC - RP6 - Printer Driver Microsoft XPS Document Writer Installed
5: 2008-05-03 22:19:55 UTC - RP5 - Installed %1 %2.


-- First Restore Point --
1: 2008-04-03 23:04:20 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Julius.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:30 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
D:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Julius.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ThreatMon] C:\Program Files\ThreatMon\ThreatMon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HiddenFinder] C:\Program Files\HiddenFinder\hiddenfinder.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205627231515
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DQJTCJGWCR - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DQJTCJGWCR.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MHGVZ - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MHGVZ.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 5839 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AsIO - c:\windows\system32\drivers\asio.sys
R1 lnsfw1 - c:\windows\system32\drivers\lnsfw1.sys <Not Verified; ; LNSFW1 Look 'n' Stop Driver>
R3 kbmon (ThreatMon Kernel Driver) - c:\windows\system32\drivers\kbmon.sys
R3 KProcWatch - c:\windows\system32\drivers\kprocwatch.sys
R3 SFilter (Look 'n' Stop Driver) - c:\windows\system32\drivers\lnsfw.sys <Not Verified; ; Look 'n' Stop Driver>

S3 BDFsDrv - c:\program files\softwin\bitdefender10\bdfsdrv.sys (file missing)
S3 BDRsDrv - c:\program files\softwin\bitdefender10\bdrsdrv.sys (file missing)
S3 DarkSpy - c:\windows\system32\darkspykernel.sys (file missing)
S3 VICESYS - c:\documents and settings\brutis\downloads\vice\exe\vicesys.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 DQJTCJGWCR - c:\docume~1\admini~1\locals~1\temp\dqjtcjgwcr.exe (file missing)
S3 MHGVZ - c:\docume~1\admini~1\locals~1\temp\mhgvz.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1039&DEV_7002&SUBSYS_70021039&REV_00\3&267A616A&0&1B
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1039&DEV_7002&SUBSYS_70021039&REV_00\3&267A616A&0&1B
Service:


-- Files created between 2008-04-08 and 2008-05-08 -----------------------------

2008-05-08 17:44:38 0 d-------- C:\WINDOWS\pss
2008-05-06 23:44:13 0 d--hs---- C:\found.000
2008-05-06 23:35:02 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-06 16:24:36 0 d-------- C:\Program Files\ACW
2008-05-04 02:05:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\TrueCrypt
2008-05-04 00:58:23 0 d-------- C:\Program Files\Trend Micro
2008-05-04 00:51:06 0 d-------- C:\SVV
2008-05-03 17:20:35 0 d-------- C:\Program Files\MSBuild
2008-05-03 17:20:31 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-05-02 23:28:52 0 d-------- C:\Program Files\Alwil Software
2008-05-01 22:19:07 0 d-------- C:\Program Files\Personal Antispy
2008-04-30 09:56:31 0 dr-h----- C:\Documents and Settings\Brutis\Recent
2008-04-22 23:54:26 0 d-------- C:\Documents and Settings\Brutis\Application Data\TrueCrypt
2008-04-19 00:15:51 0 d-------- C:\Documents and Settings\Brutis\Application Data\Mozilla
2008-04-13 08:27:57 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-13 08:09:17 0 d-------- C:\Documents and Settings\Brutis\Application Data\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2008-05-08 18:09:06 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-05-06 15:01:39 0 d-------- C:\Program Files\CheckPoint
2008-05-04 01:14:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\CheckPoint
2008-05-04 01:14:16 96 --a------ C:\WINDOWS\system32\pdfl.dat
2008-04-13 08:27:57 0 d-------- C:\Program Files\Common Files
2008-04-03 18:15:46 2550 --a------ C:\WINDOWS\unins000.dat
2008-04-03 18:14:30 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-30 16:48:27 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-26 01:21:30 0 d-------- C:\Program Files\MSXML 6.0
2008-03-21 23:13:00 144 --a------ C:\WINDOWS\system32\lkfl.dat
2008-03-21 23:13:00 96 --a------ C:\WINDOWS\system32\ibfl.dat
2008-03-21 22:33:04 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-21 22:22:32 0 d-------- C:\Program Files\Reference Assemblies


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [04/02/2007 04:48 PM]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [03/26/2007 03:49 PM]
"Look 'n' Stop"="C:\Program Files\Soft4Ever\looknstop\looknstop.exe" [10/04/2007 04:11 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/21/2006 05:20 AM]
"ThreatMon"="C:\Program Files\ThreatMon\ThreatMon.exe" [02/01/2005 12:35 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 01:37 PM]
"HiddenFinder"="C:\Program Files\HiddenFinder\hiddenfinder.exe" [04/03/2007 08:32 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 12:56 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/18/2007 11:26 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
C:\Program Files\UnHackMe\hackmon.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe

*Newly Created Service* - KPROCWATCH



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8307 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-08 18:11:56 ------------

Directories/Files moved to C:\Deckard\System Scanner\backup

2008-05-07 00:59:32 565248 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\$$$reghive
2008-05-06 16:04:02 0 --a-----t C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\385DB.dmp
2008-05-07 01:05:13 28792 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AAX58.tmp
2008-05-08 18:10:04 6672 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dc2b_appcompat.txt
2008-05-03 17:20:14 210529 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dd_depcheck_NETFX_EXP_35.txt
2008-05-03 17:12:25 2 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dd_dotnetfx35error.txt
2008-05-03 17:22:44 311770 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dd_dotnetfx35install.txt
2008-05-03 17:21:29 3408020 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dd_NET_Framework30_Setup040F.txt
2008-05-03 17:21:58 1140066 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dd_NET_Framework35_MSI0504.txt
2008-05-03 17:20:58 5084 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dd_wcf_retCA6EC4.txt
2008-05-03 17:20:13 6099 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dd_XPS.txt
2008-05-06 15:09:23 412544 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DQJTCJGWCR.exe <Not Verified; Sysinternals - www.sysinternals.com; Sysinternals Rootkitrevealer>
2008-05-04 00:11:44 351104 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MHGVZ.exe <Not Verified; Sysinternals - www.sysinternals.com; Sysinternals Rootkitrevealer>
2008-05-03 17:22:44 14874 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxeventlog.txt
2008-05-08 17:49:28 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WPDNSE
2008-05-03 17:21:49 25277 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WSFA8.tmp
2008-05-03 17:21:49 28068 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WSFA9.tmp
2008-05-08 18:02:22 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_
2008-05-06 23:35:55 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_av_sfx.tm~a03612
2008-05-06 16:28:56 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{85CCF60F-0B46-4399-9316-10EAEDCACD1F}
2008-05-06 16:25:07 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{FC1DB8B2-56CC-4B25-8F76-CDD8D5C22D35}
2008-05-04 00:16:10 16384 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF54E6.tmp
2008-05-07 01:09:24 260 --a-----t C:\WINDOWS\temp\bdc5B.tmp
2008-05-08 18:04:01 3265 --a------ C:\WINDOWS\temp\kds.xml
2008-05-06 15:53:28 0 d-------- C:\WINDOWS\temp\tmp00002c03
2008-05-06 16:03:20 0 d-------- C:\WINDOWS\temp\tmp0000318c
2008-05-07 01:08:49 0 d-------- C:\WINDOWS\temp\tmp00004228
2008-05-06 23:35:46 0 d-------- C:\WINDOWS\temp\tmp0000697f

-*- End of Logfile -*-

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:36 PM

Posted 16 May 2008 - 06:22 AM

Hi, sorry for the delay and thanks for your patience!

Please download the ComboFix from the links above and follow all instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • "If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!"
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer


Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 Wizard's Apprentice

Wizard's Apprentice
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Britannia
  • Local time:01:36 PM

Posted 22 May 2008 - 08:48 AM

Lusitano,

I have read & followed the how-to on ComboFix. Thank you for the advice. Here are the results:



ComboFix 08-05-19.4 - myadmin 2008-05-21 21:53:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1478 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.
The following files were disabled during the run:
C:\Program Files\TrojanHunter 5.0\THSec.dll


((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-18 22:50 . 2008-05-18 22:50 <DIR> d-------- C:\Program Files\Uniblue
2008-05-18 22:50 . 2008-05-18 22:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-05-17 19:14 . 2008-05-17 19:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-05-17 01:40 . 2008-05-17 01:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 01:40 . 2008-05-17 01:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 01:40 . 2008-05-17 01:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-17 01:40 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 01:40 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-17 01:02 . 2008-05-21 21:52 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-05-16 23:03 . 2008-05-18 17:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-16 23:03 . 2008-05-16 23:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 23:03 . 2008-05-16 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-16 23:03 . 2008-05-16 23:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-15 22:37 . 2008-05-15 22:37 1,859 --a------ C:\WINDOWS\mozver.dat
2008-05-08 23:22 . 2008-05-08 23:22 <DIR> d-------- C:\New Folder3
2008-05-08 23:19 . 2008-05-08 23:19 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-05-08 17:36 . 2008-05-08 17:36 <DIR> d-------- C:\Deckard
2008-05-07 00:16 . 2008-05-08 23:29 <DIR> d-------- C:\Program Files\UnHackMe
2008-05-06 23:44 . 2008-05-18 18:59 <DIR> d--hs---- C:\found.000
2008-05-06 16:24 . 2008-05-06 16:28 <DIR> d-------- C:\Program Files\ACW
2008-05-04 02:05 . 2008-05-04 02:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrueCrypt
2008-05-04 00:58 . 2008-05-04 00:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-04 00:51 . 2008-05-04 00:51 <DIR> d-------- C:\SVV
2008-05-03 17:20 . 2008-05-03 17:20 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-03 17:20 . 2008-05-03 17:20 <DIR> d-------- C:\Program Files\MSBuild
2008-05-02 23:28 . 2008-05-02 23:28 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-01 22:19 . 2008-05-01 22:19 <DIR> d-------- C:\Program Files\Personal Antispy
2008-04-22 23:54 . 2008-04-22 23:54 <DIR> d-------- C:\Documents and Settings\Brutis\Application Data\TrueCrypt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 02:45 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-05-19 03:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-06 20:01 --------- d-----w C:\Program Files\CheckPoint
2008-05-04 06:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CheckPoint
2008-04-13 13:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-13 13:09 --------- d-----w C:\Documents and Settings\Brutis\Application Data\Lavasoft
2008-04-03 23:14 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-30 21:48 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-26 06:21 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-26 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-26 04:54 --------- d-----w C:\Documents and Settings\Brutis\Application Data\CheckPoint
2008-03-22 03:33 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-22 03:22 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-12 11:39 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-18 23:26 7700480]
"ThreatMon"="C:\Program Files\ThreatMon\ThreatMon.exe" [2005-02-01 12:35 45056]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"nwiz"="nwiz.exe" [2007-04-18 23:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-04-18 23:26 86016]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Look 'n' Stop"="C:\Program Files\Soft4Ever\looknstop\looknstop.exe" [2007-10-04 16:11 512070]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"HiddenFinder"="C:\Program Files\HiddenFinder\hiddenfinder.exe" [2007-04-03 20:32 421888]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-09-21 05:20 127036]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-03-25 19:08 1047712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-12 11:36]
R1 lnsfw1;lnsfw1;C:\WINDOWS\system32\drivers\lnsfw1.sys [2007-10-04 16:11]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-12 11:38]
R3 kbmon;ThreatMon Kernel Driver;C:\WINDOWS\system32\drivers\kbmon.sys [2005-02-01 12:38]
R3 KProcWatch;KProcWatch;C:\WINDOWS\system32\drivers\KProcWatch.sys [2006-02-23 23:03]
S3 DarkSpy;DarkSpy;C:\WINDOWS\system32\DarkSpyKernel.sys []
S3 DQJTCJGWCR;DQJTCJGWCR;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DQJTCJGWCR.exe []
S3 MHGVZ;MHGVZ;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MHGVZ.exe []
S3 VICESYS;VICESYS;C:\Documents and Settings\Brutis\Downloads\vice\EXE\VICESYS.sys [2004-08-16 20:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - KPROCWATCH
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 21:54:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-21 21:55:22
ComboFix-quarantined-files.txt 2008-05-22 02:55:13

Pre-Run: 74,881,495,040 bytes free
Post-Run: 74,882,789,376 bytes free

121 --- E O F --- 2008-05-13 11:46:25

combofix quarantined files
2008-05-21 21:54 54 --a------ C:\Qoobox\Quarantine\catchme.log


hjackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:12 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\ThreatMon\ThreatMon.exe
C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ThreatMon] C:\Program Files\ThreatMon\ThreatMon.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HiddenFinder] C:\Program Files\HiddenFinder\hiddenfinder.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205627231515
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DQJTCJGWCR - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DQJTCJGWCR.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MHGVZ - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MHGVZ.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7205 bytes

TrojanHunter Scan Report - Saved 2008-05-21 23:07

Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Administrator\Desktop\ComboFix.exe/catchme.cfexe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Administrator\Desktop\ComboFix.exe/ERDNT.e_e
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Administrator\Desktop\ComboFix.exe/Upx.kgvpaguz/catchme.cfexe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Administrator\Desktop\ComboFix.exe/Upx.kgvpaguz/ERDNT.e_e
Warning: Executable file with double extensions found: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll
Warning: Executable file with double extensions found: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll
Warning: Executable file with double extensions found: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Net\3.5.0.0__b03f5f7f11d50a3a\System.Net.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.Web\3.5.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_36c045b0\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_e4dc556e\System.Xml.dll
Warning: Unable to unpack UPX-packed file C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.Dtc.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.kor.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\system.web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\system.xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.kor.dll


I will await your direction, and again thank you!

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:36 PM

Posted 23 May 2008 - 04:36 AM

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\drivers\lnsfw1.sys
  • Click on the submit button
  • Please post the results in your next reply.
  • Repeat for these:
    • C:\WINDOWS\system32\drivers\kbmon.sys
  • If Jotti's too busy, try on VirusTotal

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:36 PM

Posted 02 June 2008 - 07:17 AM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users