Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spambot Of Some Kind?


  • This topic is locked This topic is locked
2 replies to this topic

#1 boldpat

boldpat

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 11 July 2008 - 08:08 PM

I'm hoping that someone can help me solve this porblem.

Here's a quick summary of events:
1) Symantec AV detects 4 instances of infection by W32.Spybot.Worm and supposedly cleans by deletion
2) Symantec AV detects 2 instances of Infostealer.Gampass and supposedly cleans by deletion.
3) I come home to discover messages from Symantec AV reporting that 380 separate emails sent from my machine have been One of my email accounts is temporarily suspended due to reports of spam abuse originating from my IP address.
4) I install McAfee AV alongside Symantec and MacAfee logs a port block approximately 1 each minute from seemingly random ip addressesa all trying to access porty 25.
5) I run complete system scans by both Symantec AV and McAfee and nothing problematic is discovered. Ditto for SpyBot Search and Destroy.

So then here are copies of logs I just ran logs from ComboFix and HijackThis.

COMBOFIX LOG

ComboFix 08-07-10.1 - 2008-07-11 19:21:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2479 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-10 21:19 . 2008-07-10 21:19 <DIR> d-------- C:\Program Files\McAfee
2008-07-10 21:19 . 2008-07-10 21:19 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-10 21:19 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-10 21:19 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-10 21:19 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-07-10 21:19 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-07-10 21:19 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-10 21:19 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-07-10 00:48 . 2008-07-10 00:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-09 23:52 . 2008-07-09 23:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-09 23:15 . 2008-07-09 23:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-09 00:24 . 2008-07-09 00:24 <DIR> d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-07-09 00:24 . 2008-07-09 00:24 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-08 19:49 . 2008-07-08 19:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-08 17:33 . 2008-07-08 17:33 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-07-08 17:33 . 2008-07-10 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-08 17:33 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-07-07 23:28 . 2008-07-07 23:28 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-07-07 23:28 . 2008-07-07 23:28 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-07-07 23:12 . 2008-07-07 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\logs
2008-07-07 22:40 . 2008-07-07 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-07 19:35 . 2008-07-07 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Resources
2008-07-07 18:31 . 1996-11-17 00:00 402,704 --a------ C:\WINDOWS\system32\Msrepl35.dll
2008-07-07 18:31 . 1996-11-17 00:00 163,384 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-07-07 18:31 . 1996-11-17 00:00 77,824 --a------ C:\WINDOWS\system32\Odbctl32.dll
2008-07-07 18:31 . 1996-11-17 00:00 26,340 --a------ C:\WINDOWS\system32\Odbcinst.hlp
2008-07-07 18:31 . 1996-11-17 00:00 6,931 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-07-07 18:31 . 2006-10-06 15:40 1,310 --a------ C:\WINDOWS\Ncss97.ini
2008-07-07 18:31 . 1996-11-17 00:00 244 --a------ C:\WINDOWS\system32\Odbcinst.cnt
2008-07-05 08:56 . 2008-07-05 08:56 3,444 --a------ C:\Documents and Settings\XXXXXX\excdata2.dat
2008-07-05 08:56 . 2008-07-05 08:56 3,280 --a------ C:\Documents and Settings\XXXXXX\excdata3.dat
2008-07-05 08:56 . 2008-07-05 08:56 3,198 --a------ C:\Documents and Settings\XXXXXX\personel.dat
2008-07-05 08:56 . 2008-07-05 08:56 2,214 --a------ C:\Documents and Settings\XXXXXX\jan98dat.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,968 --a------ C:\Documents and Settings\XXXXXX\bookdata.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,804 --a------ C:\Documents and Settings\XXXXXX\invent1.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,722 --a------ C:\Documents and Settings\XXXXXX\tests2.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,722 --a------ C:\Documents and Settings\XXXXXX\tests.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,640 --a------ C:\Documents and Settings\XXXXXX\survey1.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,640 --a------ C:\Documents and Settings\XXXXXX\pubdata.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,640 --a------ C:\Documents and Settings\XXXXXX\orderdat.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,640 --a------ C:\Documents and Settings\XXXXXX\invent2.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,312 --a------ C:\Documents and Settings\XXXXXX\cardata.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,148 --a------ C:\Documents and Settings\XXXXXX\excdata1.dat
2008-07-05 08:56 . 2008-07-05 08:56 1,066 --a------ C:\Documents and Settings\XXXXXX\aug99dat.dat
2008-07-05 08:56 . 2008-07-05 08:56 984 --a------ C:\Documents and Settings\XXXXXX\powerdat.dat
2008-07-05 08:56 . 2008-07-05 08:56 820 --a------ C:\Documents and Settings\XXXXXX\choldata.dat
2008-07-05 08:56 . 2008-07-05 08:56 738 --a------ C:\Documents and Settings\XXXXXX\saledata.dat
2008-07-05 08:56 . 2008-07-05 08:56 656 --a------ C:\Documents and Settings\XXXXXX\vandata.dat
2008-07-05 08:56 . 2008-07-05 08:56 644 --a------ C:\Documents and Settings\XXXXXX\satdata2.dat
2008-07-05 08:56 . 2008-07-05 08:56 462 --a------ C:\Documents and Settings\XXXXXX\satdata1.dat
2008-07-05 08:56 . 2008-07-05 08:56 148 --a------ C:\Documents and Settings\XXXXXX\accnt04.dat
2008-07-05 08:56 . 2008-07-05 08:56 114 --a------ C:\Documents and Settings\XXXXXX\accnt02.dat
2008-07-05 08:56 . 2008-07-05 08:56 109 --a------ C:\Documents and Settings\XXXXXX\accnt01.dat
2008-07-05 08:56 . 2008-07-05 08:56 83 --a------ C:\Documents and Settings\XXXXXX\accnt.dat
2008-07-05 08:56 . 2008-07-05 08:56 61 --a------ C:\Documents and Settings\XXXXXX\activity.dat
2008-07-05 08:56 . 2008-07-05 08:56 46 --a------ C:\Documents and Settings\XXXXXX\fee.dat
2008-07-05 08:56 . 2008-07-05 08:56 39 --a------ C:\Documents and Settings\XXXXXX\printfee.dat
2008-06-15 00:31 . 2008-06-15 00:34 <DIR> d-------- C:\Program Files\Hard Disk Sentinel
2008-06-15 00:24 . 2008-06-15 00:24 <DIR> d-------- C:\Documents and Settings\XXXXXX\Application Data\AltrixSoft
2008-06-14 15:02 . 2008-06-14 15:02 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-12 00:00 . 2008-06-12 00:00 <DIR> d-------- C:\Documents and Settings\XXXXXX\Application Data\Acronis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 00:19 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-11 01:53 --------- d-----w C:\Program Files\Symantec
2008-07-11 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-10 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-10 23:30 --------- d-----w C:\Program Files\Microsoft Web Designer Tools
2008-07-10 23:29 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-07-10 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-07-10 23:28 --------- d-----w C:\Program Files\MSBuild
2008-07-10 23:23 --------- d-----w C:\Program Files\eMule
2008-07-10 11:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 04:19 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-08 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-07-08 04:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 16:34 --------- d-----w C:\Program Files\SAS
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 00:23 --------- d-----w C:\Program Files\Registry Workshop
2008-06-18 01:12 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-06-18 01:11 --------- d-----w C:\Program Files\Intel
2008-06-18 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avocent AdminWorks
2008-06-18 00:58 6,784 ----a-w C:\WINDOWS\system32\drivers\osaio.sys
2008-06-18 00:47 --------- d-----w C:\Program Files\MSDN
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 04:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 04:43 --------- d-----w C:\Documents and Settings\XXXXXX\Application Data\SAS
2008-06-12 04:06 --------- d-----w C:\Program Files\SPSS
2008-06-02 00:56 --------- d-----w C:\Documents and Settings\XXXXXX\Application Data\Processing
2008-05-28 23:05 --------- d-----w C:\Program Files\Stata10
2008-05-27 03:37 --------- d-----w C:\Program Files\dtSearch Developer
2008-05-27 03:25 --------- d-----w C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-05-22 11:57 --------- d-----w C:\Program Files\TreeSize Professional
2008-05-14 11:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-05-14 04:57 --------- d-----w C:\Program Files\ATI Technologies
2008-05-13 22:19 --------- d-----w C:\Program Files\LizardTech
2008-05-12 00:01 --------- d-----w C:\Program Files\SiSoftware
2008-04-14 12:40 1,296,669 ----a-r C:\WINDOWS\SET59.tmp
2008-04-14 12:34 16,535 ----a-r C:\WINDOWS\SET68.tmp
2008-04-14 12:34 1,088,840 ----a-r C:\WINDOWS\SET5C.tmp
2008-04-14 10:41 451,072 ----a-w C:\WINDOWS\AppPatch\AcLayers.dll
2008-04-14 10:41 39,424 ----a-w C:\WINDOWS\AppPatch\AcAdProc.dll
2008-04-14 10:41 245,248 ----a-w C:\WINDOWS\AppPatch\AcSpecfc.dll
2008-04-14 10:41 141,312 ----a-w C:\WINDOWS\AppPatch\AcLua.dll
2008-04-14 10:41 116,224 ----a-w C:\WINDOWS\AppPatch\AcXtrnal.dll
2008-04-14 10:41 1,852,928 ----a-w C:\WINDOWS\AppPatch\AcGenral.dll
2007-12-27 15:00 77,824 ----a-w C:\Program Files\mozilla firefox\plugins\QVPLUG32.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\CFi]
@="{2DBD5D71-CBB7-41D1-B170-511646B170BD}"
[HKEY_CLASSES_ROOT\CLSID\{2DBD5D71-CBB7-41D1-B170-511646B170BD}]
2007-01-28 16:50 55296 --a------ C:\PROGRA~1\CFi\ShellToys\CFiShlJP.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 04:18 437160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{067B597C-C099-4A08-A180-E5FEC5DCF2DF}"= "C:\PROGRA~1\CFi\ShellToys\CFiShlEx.dll" [2007-01-28 16:53 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gcdef32]
2004-07-07 14:36 10752 C:\WINDOWS\system32\gcdef32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP2c\\RpcAgentSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"1722:TCP"= 1722:TCP:messenger
"6386:TCP"= 6386:TCP:messenger
"2785:TCP"= 2785:TCP:messenger
"1456:TCP"= 1456:TCP:messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 HFXP2;HFXP2;C:\WINDOWS\system32\DRIVERS\HFXP2.SYS [2004-12-30 16:49]
R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-02-29 20:58]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 21:03]
R2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 14:38]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2008-06-17 19:58]
S3 BioNT_BS;BioNT_BS;C:\Program Files\Paragon Software\Partition Manager 9.0 Professional\bluescrn\BioNT_bs.sys []
S4 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP2c\RpcAgentSrv.exe [2008-04-23 18:55]
S4 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-10-30 21:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f95d53d-f9fc-11dc-a776-000f66e680a4}]
\Shell\AutoRun\command - H:\bootcd\wintools\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-11 02:38:04 C:\WINDOWS\Tasks\User_Feed_Synchronization-{101AED11-906C-492A-915C-29D8E8C032DD}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 19:24:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\IDT\IntelXPV_v52\WDM\stacsv.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2008-07-11 19:26:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-12 00:26:28

Pre-Run: 128,752,365,568 bytes free
Post-Run: 128,566,915,072 bytes free

245 --- E O F --- 2008-07-10 02:17:01


HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:22 PM, on 7/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\idt\intelxpv_v52\wdm\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\qmc.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.msu.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT78\PRMTIE\prmtie.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: QuickMonth Calendar.lnk = C:\WINDOWS\qmc.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: gcdef32 - C:\WINDOWS\SYSTEM32\gcdef32.dll
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v52\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 13429 bytes



Any help in interpreting these logs and solving my problem would be greatly appreciated. I'll be keeping a close watch for replies and will respond promptly with new information as needed.

Many thanks in advance.

BoldPay

Edited by boldpat, 11 July 2008 - 10:51 PM.


BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 03 August 2008 - 05:16 AM

Hello boldpat,

I apologise for the delay, the forum is too busy.

If you still need help, post a new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 08 August 2008 - 11:09 AM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users