Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumode Infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 beaner284

beaner284

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 23 June 2008 - 12:22 PM

Deckard's System Scanner v20071014.68
Run by User on 2008-06-23 12:14:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-23 17:14:20 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:03, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\DOCUME~1\User\Desktop\TRENDM~1\HIJACK~1\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {39a0df97-756a-4f98-21f4-de2db08ac48a} - {a84ca80b-d2ed-4f12-89f4-a65779fd0a93} - C:\WINDOWS\system32\gxaljtbm.dll
O2 - BHO: (no name) - {CDA1B178-6434-4E10-ACA5-2310572E6E2C} - C:\WINDOWS\system32\wvUoMfgG.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM251a25c3] Rundll32.exe "C:\WINDOWS\system32\mbeuffvo.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk.disabled
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152292755847
O16 - DPF: {FD9D0FC7-D96B-11D3-B9D5-00A0CC349308} - http://mnmastery.net/mnet/hlms/kraft_safet...er/mtplayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 6076 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys <Not Verified; Dritek System Inc.; Dritek MMKey>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S1 uagp355 - c:\windows\system32\drivers\uagp355.sys (file missing)
S3 TnIDriver - c:\docume~1\user\locals~1\temp\tni17.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 anbmService (Notebook Manager Service) - c:\acer\emanager\anbmserv.exe <Not Verified; OSA Technologies Inc.; Acer Empowering Manager>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-14 03:47:58 460 --a------ C:\WINDOWS\Tasks\SDMsgUpdate (TE).job
2008-06-12 20:27:24 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 11:56:08 0 d-------- C:\Documents and Settings\User\Application Data\MailFrontier
2008-06-23 11:38:14 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-23 10:54:02 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-23 10:53:34 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-23 10:53:06 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-06-23 10:51:05 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-06-23 10:50:26 0 d-------- C:\WINDOWS\Internet Logs
2008-06-23 09:46:49 0 d-------- C:\Documents and Settings\All Users\Application Data\NetZero
2008-06-23 09:46:46 0 d-------- C:\NetZeroInstaller
2008-06-22 16:39:31 1554 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-22 16:37:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-22 00:32:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-22 00:17:43 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-22 00:17:43 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-22 00:17:43 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-22 00:17:43 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-22 00:17:43 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-22 00:17:43 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-22 00:17:43 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-22 00:17:43 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-22 00:17:43 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-22 00:17:43 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-22 00:17:43 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-22 00:17:43 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-22 00:17:43 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-22 00:17:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-22 00:17:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-22 00:17:42 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-21 23:34:02 0 d--hs---- C:\FOUND.004
2008-06-21 20:30:32 122368 --a------ C:\WINDOWS\system32\iptlhkwx.dll
2008-06-21 20:27:32 130560 --a------ C:\WINDOWS\system32\gxaljtbm.dll
2008-06-21 20:25:22 128512 --a------ C:\WINDOWS\system32\mbeuffvo.dll
2008-06-13 19:59:41 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-10 18:58:24 0 d--hs---- C:\FOUND.003
2008-06-08 18:01:22 13568 --a------ C:\WINDOWS\svcinit.exe
2008-06-08 18:01:22 22272 --a------ C:\WINDOWS\svchost32.exe
2008-06-08 18:01:22 17920 --a------ C:\WINDOWS\sistem.exe
2008-06-08 18:01:21 11776 --a------ C:\WINDOWS\searchword.dll
2008-06-08 18:01:21 22016 --a------ C:\WINDOWS\quicken.exe
2008-06-08 18:01:21 28160 --a------ C:\WINDOWS\qttasks.exe
2008-06-08 18:01:19 32000 --a------ C:\WINDOWS\mswsc20.dll
2008-06-08 18:01:18 19712 --a------ C:\WINDOWS\mswsc10.dll
2008-06-08 18:01:16 12544 --a------ C:\WINDOWS\msspi.dll
2008-06-08 18:01:16 31232 --a------ C:\WINDOWS\msconfd.dll
2008-06-08 18:01:15 15616 --a------ C:\WINDOWS\internet.exe
2008-06-08 18:01:15 24064 --a------ C:\WINDOWS\inetinf.exe
2008-06-08 18:01:13 23808 --a------ C:\WINDOWS\helpcvs.exe
2008-06-08 18:01:13 17664 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-08 18:01:12 21248 --a------ C:\WINDOWS\funny.exe
2008-06-08 18:01:12 12544 --a------ C:\WINDOWS\funniest.exe
2008-06-08 18:01:12 25088 --a------ C:\WINDOWS\explorer32.exe
2008-06-08 18:01:11 23552 --a------ C:\WINDOWS\explore.exe
2008-06-08 18:01:11 11008 --a------ C:\WINDOWS\editpad.exe
2008-06-08 18:01:11 14592 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-08 18:01:11 14336 --a------ C:\WINDOWS\directx32.exe
2008-06-08 18:01:11 23040 --a------ C:\WINDOWS\ctrlpan.dll
2008-06-08 18:01:10 23296 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-08 17:49:10 744044 --ahs---- C:\WINDOWS\system32\GgfMoUvw.ini2
2008-06-08 17:49:06 282624 --a------ C:\WINDOWS\system32\wvUoMfgG.dll
2008-06-08 17:46:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-08 17:46:20 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-08 17:46:10 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-06-08 17:46:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\COMCASTTOOLBAR
2008-06-08 17:46:08 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-08 17:46:03 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-08 17:45:35 0 d-------- C:\WINDOWS\system32\expo
2008-06-08 17:45:34 0 d-------- C:\WINDOWS\system32\xrem
2008-06-08 17:45:22 0 d-------- C:\WINDOWS\system32\inet2
2008-06-08 17:45:22 0 d-------- C:\WINDOWS\system32\105772
2008-06-08 17:44:17 0 d-------- C:\WINDOWS\system32\btz
2008-06-08 17:44:08 0 d-------- C:\WINDOWS\system32\vntiho05
2008-06-08 17:44:07 0 d-------- C:\Temp
2008-05-28 17:57:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Comcast


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a84ca80b-d2ed-4f12-89f4-a65779fd0a93}]
06/21/2008 20:27 130560 --a------ C:\WINDOWS\system32\gxaljtbm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CDA1B178-6434-4E10-ACA5-2310572E6E2C}]
06/08/2008 17:49 282624 --a------ C:\WINDOWS\system32\wvUoMfgG.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 18:19]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/06/2007 16:14]
"BM251a25c3"="C:\WINDOWS\system32\mbeuffvo.dll" [06/21/2008 20:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56]
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" [12/10/2007 19:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk.disabled [7/10/2006 12:30:26 PM]
Symantec Fax Starter Edition Port.lnk.disabled [7/10/2006 12:30:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,userinit.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvUoMfgG

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SpyHunter Security Suite"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"LaunchApp"=Alaunch
"LManager"=C:\Program Files\Launch Manager\QtZgAcer.EXE
"LSA Shellu"=C:\Documents and Settings\User\lsass.exe
"MSPY2002"=C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
"NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe
"PHIME2002A"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"<NO NAME>"=
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{024193e0-39ad-11dd-8802-00c09f4f4e84}]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65c1e5a2-7da3-11db-864c-00c09f4f4e84}]
AutoRun\command- G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f03d6468-dc62-11db-8663-00c09f4f4e84}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 {undo}.hotlinkfiles.com
127.0.0.1 {undo}.meine-gru▀karten.de
127.0.0.1 {undo}/hotlinkfiles.com
127.0.0.1 {undo}/meine-gru▀karten.de
127.0.0.1 {undo}www.hotlinkfiles.com
127.0.0.1 {undo}www.meine-gru▀karten.de
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com

10874 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-23 12:18:41 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1400MHz
Percentage of Memory in Use: 84%
Physical Memory (total/avail): 494.42 MiB / 79.01 MiB
Pagefile Memory (total/avail): 1157.43 MiB / 771.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1909.13 MiB

C: is Fixed (FAT32) - 24.99 GiB total, 15.48 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - HTS424030M9AT00 - 27.95 GiB - 2 partitions
\PARTITION0 - Unknown - 2.93 GiB
\PARTITION1 (bootable) - Unknown - 25 GiB - C:

\\.\PHYSICALDRIVE1 - LEXAR JD FIREFLY USB Device - 988.37 MiB - 1 partition
\PARTITION0 - Unknown - 991.48 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Security Suite Firewall v7.0.408.000 (Check Point, LTD.) Disabled
AV: avast! antivirus 4.8.1201 [VPS 080622-0] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ACER-GAWAKV7KL3
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\ACER-GAWAKV7KL3
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=ACER-GAWAKV7KL3
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer eManager --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6DD28220-44BE-4882-B9C3-73B6F876046E}
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{763E8D6C-0098-4FF4-801A-3F311D2D9D80}
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Comcast Toolbar --> C:\Program Files\ComcastToolbar\uninstall.exe
Conexant AC-Link Audio --> CIAunwdm.exe
Debt Analyzer --> "C:\Program Files\Debt\unins000.exe"
Desktop Doctor --> MsiExec.exe /I{D87149B3-7A1D-4548-9CBF-032B791E5908}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet 3840 Series --> rundll32 hpzcon10.dll,VendorJettison HP Deskjet 3840 Series
Indeo« Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033
IrfanView (remove only) --> C:\Documents and Settings\User\Desktop\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{974C05A0-C76C-4724-A9A2-11D5D1355729}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Launch Manager --> C:\WINDOWS\UnInst32.exe QtZgAcer.UNI
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
NetZero Internet --> "C:\Program Files\NetZero\NetZeroUninstaller.exe"
NTI Backup NOW! 3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4E68EAA3-775A-4542-A08A-47DB8E8E74A6} /l1033 BUNText
NTI CD & DVD-Maker Gold --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} /l1033 AnyText
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SmartDraw 2007 --> C:\PROGRA~1\SMARTD~1\UNWISE.EXE C:\PROGRA~1\SMARTD~1\install.log
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_00641025\HXFSETUP.EXE -U -Iqta00645.inf
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{23C7348E-131C-4BFF-9763-2C804D6B87AE}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1908 / Error
Event Submitted/Written: 06/13/2008 09:56:11 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spyhunter3.exe, version 1.0.13.0, faulting module registryguard.dll, version 1.0.25.0, fault address 0x000539fd.
Processing media-specific event for [spyhunter3.exe!ws!]

Event Record #/Type1903 / Error
Event Submitted/Written: 06/13/2008 09:23:22 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spyhunter3.exe, version 1.0.13.0, faulting module registryguard.dll, version 1.0.25.0, fault address 0x00002fa5.
Processing media-specific event for [spyhunter3.exe!ws!]

Event Record #/Type1897 / Error
Event Submitted/Written: 06/12/2008 11:47:57 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1894 / Error
Event Submitted/Written: 06/12/2008 11:38:30 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1893 / Error
Event Submitted/Written: 06/12/2008 11:37:42 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5009 / Warning
Event Submitted/Written: 06/23/2008 11:39:55 AM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "SAS window"

Event Record #/Type5000 / Warning
Event Submitted/Written: 06/22/2008 05:54:32 PM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.

Event Record #/Type4999 / Warning
Event Submitted/Written: 06/22/2008 05:54:30 PM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.

Event Record #/Type4998 / Warning
Event Submitted/Written: 06/22/2008 05:54:28 PM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.

Event Record #/Type4997 / Warning
Event Submitted/Written: 06/22/2008 05:54:12 PM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.



-- End of Deckard's System Scanner: finished at 2008-06-23 12:18:41 ------------

BC AdBot (Login to Remove)

 


#2 andyspeake

andyspeake

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow,Scotland.
  • Local time:03:19 PM

Posted 23 June 2008 - 12:59 PM

Hello, and Welcome :thumbsup:
I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.


#3 beaner284

beaner284
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 23 June 2008 - 09:10 PM

thanx for your reply just let me know whenever your ready i have a good computer im using in the meantime so no rush any help is greatly appreaciated thank again

#4 andyspeake

andyspeake

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow,Scotland.
  • Local time:03:19 PM

Posted 25 June 2008 - 11:52 AM

Hi,

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection(s) on this machine.
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a Backdoor trojan, the worst kind.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
I would strongly recommend you Reformat and Re-install.

#5 beaner284

beaner284
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 26 June 2008 - 08:02 AM

i will be nuking the infected computer is there anyway to tell if the virus has transmtted any data?

#6 andyspeake

andyspeake

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow,Scotland.
  • Local time:03:19 PM

Posted 26 June 2008 - 01:14 PM

Are you going to be reinstalling?(Which is strongly recommended)

#7 beaner284

beaner284
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 27 June 2008 - 07:33 AM

yes i will be formatting and reinstalling

#8 andyspeake

andyspeake

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow,Scotland.
  • Local time:03:19 PM

Posted 29 June 2008 - 09:11 AM

Clean Install

I'll respect you decision to do a clean install.

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.

Reformatting Windows XP by wng_z3r0
When should I re-format? How should I reinstall?
Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net...
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
    I recommend AVG Anti-Virus (Free Edition)!
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
    I recommend ZoneAlarm (Free Edition)!
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

#9 andyspeake

andyspeake

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow,Scotland.
  • Local time:03:19 PM

Posted 02 July 2008 - 01:35 PM

How did you get on?

#10 beaner284

beaner284
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 02 July 2008 - 01:51 PM

what are you asking? how i got the virus.. i dont know i belive thru an e-mail the reinstall went well kinda a pain to get all the drivers but its back up and running better than ever thanx agagin

#11 andyspeake

andyspeake

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow,Scotland.
  • Local time:03:19 PM

Posted 02 July 2008 - 01:56 PM

I meant how did the re-install go? :thumbsup:

#12 andyspeake

andyspeake

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow,Scotland.
  • Local time:03:19 PM

Posted 05 July 2008 - 12:22 PM

Hi,

Could you please confirm that this is now solved.

If i don't recieve a reply in 48 hours the thread will be closed.

Thanks :thumbsup:


Andyspeake

#13 beaner284

beaner284
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 06 July 2008 - 09:46 AM

yes all infections have been cleared thank you for your help

#14 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 06 July 2008 - 10:28 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a new topic.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users