Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.win32.monder.bcb & Trojan-downloader.win32.agent.xxa


  • This topic is locked This topic is locked
10 replies to this topic

#1 bgedeon

bgedeon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 29 July 2008 - 02:00 PM

The last two days my computer has frozen up while trying to surf around online. This seemed weird so I ran a full system scan with symantec endpoint both days. Both times the logs came back with no risks detected. Today I started getting internet explorer pops directing me to sites. I knew at this point I had an infection that endpoint was not picking up. I disabled my network card and used another computer to download some of the suggest programs I've seen on this site. I has hoping to at least get the problem quarantined so that I would feel safe enough to enable the network card again. After running the utilities, I am not freezing when surfing web pages and have resumed using the computer. I would like help making sure that my computer is clean since endpoint obviously isn't catching this problem. :thumbsup:

Below are the logs for Kaspersky Online Scan & DSS.

Deckard's System Scanner v20071014.68
Run by bgedeon on 2008-07-29 14:40:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as bgedeon.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:40, on 2008-07-29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\bgedeon\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\bgedeon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server1/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213120057696
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213120050868
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\Software\..\Telephony: DomainName = iss-svc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 7085 bytes

-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 10:50:57 0 d-------- C:\cmdcons
2008-07-29 10:46:20 68096 --a------ C:\WINDOWS\zip.exe
2008-07-29 10:46:20 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-29 10:46:20 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-29 10:46:20 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-29 10:46:20 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-29 10:46:20 98816 --a------ C:\WINDOWS\sed.exe
2008-07-29 10:46:20 80412 --a------ C:\WINDOWS\grep.exe
2008-07-29 10:46:20 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-29 10:27:33 0 d-------- C:\Program Files\Trend Micro
2008-07-28 08:39:20 151 --a------ C:\Documents and Settings\bgedeon\error.bat
2008-07-25 11:56:25 0 d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-07-25 11:56:11 0 --a------ C:\WINDOWS\popcreg.dat
2008-07-25 11:56:11 25 --a------ C:\WINDOWS\popcinfot.dat
2008-07-25 10:34:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SPAMfighter
2008-07-24 14:10:22 0 d-------- C:\WINDOWS\Prefetch
2008-07-24 12:17:51 0 d-------- C:\WINDOWS\system32\scripting
2008-07-24 12:17:48 0 d-------- C:\WINDOWS\l2schemas
2008-07-24 12:17:47 0 d-------- C:\WINDOWS\system32\en
2008-07-24 12:09:02 0 d-------- C:\WINDOWS\network diagnostic
2008-07-15 08:13:21 0 d-------- C:\Program Files\Common Files\Crystal Decisions
2008-07-15 08:13:19 0 d-------- C:\Program Files\Sampro CrystalView
2008-07-15 08:13:19 0 d-------- C:\Program Files\Common Files\Business Objects
2008-07-15 08:07:55 0 d-------- C:\WINDOWS\system32\URTTEMP
2008-07-11 08:04:30 0 d-------- C:\WINDOWS\SchCache
2008-07-10 15:39:26 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-10 12:24:46 0 d-------- C:\Documents and Settings\bgedeon\Application Data\Help
2008-07-03 13:40:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-03 13:40:49 0 d-------- C:\Program Files\Symantec
2008-07-03 13:40:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-03 13:39:39 0 d-------- C:\TEMP
2008-07-01 09:19:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-01 09:19:15 0 d-------- C:\Documents and Settings\bgedeon\Application Data\Azureus
2008-07-01 09:18:45 0 d-------- C:\Program Files\Vuze


-- Find3M Report ---------------------------------------------------------------

2008-07-29 10:53:32 0 d-------- C:\Program Files\Common Files
2008-07-29 08:06:10 0 d-------- C:\Program Files\Java
2008-07-24 12:18:37 0 d-------- C:\Program Files\Messenger
2008-07-24 12:17:46 0 d-------- C:\Program Files\Movie Maker
2008-07-24 12:11:58 0 d-------- C:\Program Files\Windows NT
2008-07-15 08:13:19 0 d-------- C:\Program Files\Business Objects
2008-06-13 09:55:12 0 d-------- C:\Program Files\Microsoft Windows Small Business Server
2008-06-13 09:21:30 0 d-------- C:\Documents and Settings\bgedeon\Application Data\Adobe
2008-06-11 16:22:02 0 d-------- C:\Program Files\Microsoft SQL Server
2008-06-11 16:19:43 0 d-------- C:\Program Files\Citrix
2008-06-11 16:13:36 0 d-------- C:\Documents and Settings\bgedeon\Application Data\Sun
2008-06-11 16:12:43 0 d-------- C:\Documents and Settings\bgedeon\Application Data\Google
2008-06-11 16:08:51 0 d-------- C:\Documents and Settings\bgedeon\Application Data\Macromedia
2008-06-11 09:38:26 0 d-------- C:\Program Files\Setup Files
2008-06-11 09:25:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 09:23:15 0 d-------- C:\Program Files\DIFX
2008-06-11 09:20:11 0 d-------- C:\Program Files\VIA
2008-06-11 09:13:51 0 d-------- C:\Program Files\MSI
2008-06-11 08:43:45 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-10 18:09:56 0 d-------- C:\Program Files\S3
2008-06-10 17:55:21 0 d-------- C:\Program Files\Realtek
2008-06-10 17:55:15 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-06-10 17:31:42 0 d-------- C:\Program Files\Microsoft Works
2008-06-10 17:11:09 0 d-------- C:\Documents and Settings\bgedeon\Application Data\Logitech
2008-06-10 17:10:46 0 d-------- C:\Documents and Settings\bgedeon\Application Data\Identities
2008-06-10 15:31:08 0 d-------- C:\Program Files\Common Files\L&H
2008-06-10 15:30:51 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-10 15:30:10 0 d-------- C:\Program Files\Microsoft.NET
2008-06-10 14:55:23 0 d-------- C:\Program Files\Common Files\Intuit
2008-06-10 14:55:00 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-10 14:54:21 0 d-------- C:\Program Files\Intuit
2008-06-10 14:53:00 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-06-10 14:49:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-10 14:43:12 0 d-------- C:\Program Files\RMClient
2008-06-10 14:43:06 0 d-------- C:\Program Files\Common Files\RDPrint
2008-06-10 13:55:26 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-10 13:47:58 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-10 13:46:52 0 d-------- C:\Program Files\Common Files\Logishrd
2008-06-10 13:45:53 0 d-------- C:\Program Files\Logitech
2008-06-10 13:39:37 0 d-------- C:\Program Files\Common Files\Java
2008-06-10 13:38:55 0 d-------- C:\Program Files\Google
2008-06-10 13:30:22 0 d-------- C:\Program Files\NETGEAR GA311 Adapter
2008-06-10 13:20:59 0 d-------- C:\Program Files\microsoft frontpage
2008-06-10 13:20:41 0 -rahs---- C:\MSDOS.SYS
2008-06-10 13:20:41 0 -rahs---- C:\IO.SYS
2008-06-10 13:20:41 0 --a------ C:\CONFIG.SYS
2008-06-10 13:20:41 0 --a------ C:\AUTOEXEC.BAT
2008-06-10 13:18:31 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-10 13:17:51 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-10 13:17:22 0 d-------- C:\Program Files\Online Services
2008-06-10 13:17:10 0 d-------- C:\Program Files\MSN Gaming Zone
2008-06-10 09:07:06 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-10 09:07:03 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-10 09:06:41 62 --ahs---- C:\Documents and Settings\bgedeon\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 03:12 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2004-03-17 23:47]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-03 11:09]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 C:\WINDOWS\ltmsg.exe]
"VTTimer"="VTTimer.exe" [2006-08-03 14:53 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-07-11 02:33 C:\WINDOWS\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16:06 C:\WINDOWS\RTHDCPL.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-07-03 13:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-10 13:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GA311 Smart Wizard Utility.lnk - C:\Program Files\NETGEAR GA311 Adapter\GA311.exe [2003-11-06 19:32:30]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-06-10 13:46:06]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-06-10 14:55:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-05-02 02:42 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-29 14:40:57 ------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 29, 2008 16:40:54
Records in database: 1023241
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\
S:\

Scan statistics:
Files scanned: 87326
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:49:23


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\system32\eeeoroxm.dll.vir Infected: Trojan.Win32.Monder.bcb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mlJBSlME.dll.vir Infected: Trojan-Downloader.Win32.Agent.xxa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qoMgeDuS.dll.vir Infected: Trojan-Downloader.Win32.Agent.xxa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qphgdkfl.dll.vir Infected: Trojan.Win32.Monder.bcb 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


m

#2 bgedeon

bgedeon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 31 July 2008 - 12:43 PM

I continued to investigate on my own. Combofix quaratined some files, but did not delete them. A scheduled full system scan with endpoint finally picked up some infections with the newest updates loaded. :) Symantec scan labels the infections as Trojan.Vundo and Trojan.Metajuan. Metajuan was removed automatically, but Vundo proved to be a little more pesky. Symantec offers a removal tool for Vundo on there website. I opted to try out Malwarebytes' Anti-Malware (mbam). It was able to located the files that were in quaratine and some infected files that were in system restore. I disable system restore to avoid any problems and mbam was able to delete all the files. After a system restart, I scanned with Symantec Vundo tool and found no further signs of infection. Mbam did a good job :thumbsup: Re-enabled system restore and recreated a fresh restore point. I'm hoping that this will be in the end of this problem, but would still be interested in someone combing through some of my logs to see if anything was missed. I'm still a little miffed that endpoint had not picked these infections up when they are not exactly new threats and I had the most current definitions when I ran my previous scans.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 09 August 2008 - 11:36 AM

Hello bgedeon,

I apologise for the delay, the forum is too busy.

If you still need help, post a HijackThis log.
To do that, go to: >> C:\PROGRAM FILES\TRENDMICRO\HIJACKTHIS folder.

Right-click on it and create a shortcut on your desktop.
  • Double click to open HijackThis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.

Can you also post the Combofix report you have?

Edited by chryssi2001, 09 August 2008 - 11:37 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#4 bgedeon

bgedeon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 11 August 2008 - 03:16 PM

Here are the requested logs. Both of these were run today. If you would like the old logs please let me know and I'll post them.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19 PM, on 8/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
S:\SAM Pro\V_200861017280.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server1/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213120057696
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213120050868
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\Software\..\Telephony: DomainName = iss-svc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 7339 bytes

ComboFix 08-08-10.05 - bgedeon 2008-08-11 15:52:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.514 [GMT -4:00]
Running from: C:\Documents and Settings\bgedeon\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\bgedeon\Application Data\macromedia\Flash Player\#SharedObjects\MJEJ8KDZ\interclick.com
C:\Documents and Settings\bgedeon\Application Data\macromedia\Flash Player\#SharedObjects\MJEJ8KDZ\interclick.com\ud.sol
C:\Documents and Settings\bgedeon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\bgedeon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\bgedeon\g2mdlhlpx.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-11 12:25 . 2008-08-11 12:25 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-07 12:35 . 2008-08-07 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-07-31 16:35 . 2008-04-07 16:06 69,632 -ra------ C:\WINDOWS\Alcmtr.exe
2008-07-31 16:34 . 2008-07-31 16:43 <DIR> d-------- C:\Program Files\MagicISO
2008-07-31 10:04 . 2008-07-31 10:04 <DIR> d-------- C:\Documents and Settings\bgedeon\Application Data\Malwarebytes
2008-07-31 10:04 . 2008-07-31 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 09:35 . 2008-07-31 11:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-31 09:35 . 2008-07-31 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 10:30 . 2008-07-29 10:30 <DIR> d-------- C:\Deckard
2008-07-29 10:27 . 2008-07-29 10:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-28 08:39 . 2008-07-28 08:39 151 --a------ C:\Documents and Settings\bgedeon\error.bat
2008-07-25 11:56 . 2008-07-25 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-07-25 11:56 . 2008-07-25 13:58 25 --a------ C:\WINDOWS\popcinfot.dat
2008-07-25 11:56 . 2008-07-25 11:56 0 --a------ C:\WINDOWS\popcreg.dat
2008-07-25 10:34 . 2008-07-25 10:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SPAMfighter
2008-07-24 12:17 . 2008-07-24 12:17 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-24 12:17 . 2008-07-24 12:17 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-24 12:17 . 2008-07-24 12:17 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-24 10:16 . 2008-04-13 20:12 712,704 --a------ C:\WINDOWS\system32\windowscodecs.dll
2008-07-24 10:16 . 2008-04-13 20:12 346,112 --a------ C:\WINDOWS\system32\windowscodecsext.dll
2008-07-24 10:16 . 2008-04-13 20:12 276,992 --a------ C:\WINDOWS\system32\wmphoto.dll
2008-07-24 10:16 . 2008-04-13 20:12 69,120 --a------ C:\WINDOWS\system32\wlanapi.dll
2008-07-24 10:16 . 2008-04-13 20:12 53,248 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-07-24 10:16 . 2008-04-13 20:12 50,688 --a------ C:\WINDOWS\system32\tspkg.dll
2008-07-24 10:16 . 2008-04-13 20:12 32,768 --a------ C:\WINDOWS\system32\setupn.exe
2008-07-24 10:16 . 2008-04-13 14:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-07-24 10:14 . 2008-04-13 20:11 397,312 --a------ C:\WINDOWS\system32\mmcex.dll
2008-07-24 10:14 . 2008-04-13 20:11 184,320 --a------ C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-07-24 10:14 . 2008-04-13 20:11 106,496 --a------ C:\WINDOWS\system32\mmcfxcommon.dll
2008-07-24 10:14 . 2008-04-13 20:11 61,440 --a------ C:\WINDOWS\system32\kmsvc.dll
2008-07-24 10:14 . 2008-04-13 20:11 37,376 --a------ C:\WINDOWS\system32\l2gpstore.dll
2008-07-24 10:14 . 2008-04-13 20:12 33,792 --a------ C:\WINDOWS\system32\mmcperf.exe
2008-07-24 10:14 . 2008-04-13 20:09 6,144 --a------ C:\WINDOWS\system32\kbdpash.dll
2008-07-24 10:14 . 2008-04-13 20:09 6,144 --a------ C:\WINDOWS\system32\kbdnepr.dll
2008-07-24 10:14 . 2008-04-13 20:09 6,144 --a------ C:\WINDOWS\system32\kbdiultn.dll
2008-07-24 10:14 . 2008-04-13 20:09 6,144 --a------ C:\WINDOWS\system32\kbdbhc.dll
2008-07-15 08:13 . 2008-07-15 08:14 <DIR> d-------- C:\Program Files\Sampro CrystalView
2008-07-15 08:13 . 2008-07-15 08:13 <DIR> d-------- C:\Program Files\Common Files\Crystal Decisions
2008-07-15 08:13 . 2008-07-15 08:13 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2008-07-15 08:07 . 2008-07-15 08:07 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-07-11 08:04 . 2008-07-11 08:04 <DIR> d-------- C:\WINDOWS\SchCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 12:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-29 12:06 --------- d-----w C:\Program Files\Java
2008-07-25 19:39 --------- d-----w C:\Documents and Settings\bgedeon\Application Data\Azureus
2008-07-15 12:13 --------- d-----w C:\Program Files\Business Objects
2008-07-11 20:19 --------- d-----w C:\Program Files\Vuze
2008-07-11 12:06 50,536 ----a-w C:\WINDOWS\system32\drivers\WpsHelper.sys
2008-07-03 17:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-03 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-03 17:42 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-03 17:42 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-03 17:42 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-03 17:42 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-03 17:42 --------- d-----w C:\Program Files\Symantec
2008-07-03 17:38 705 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-03 17:38 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-07-03 17:38 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-07-03 17:38 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-07-03 17:38 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-07-03 17:38 22,112 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-03 17:38 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-07-03 17:38 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-07-03 17:38 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-07-03 17:38 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-07-03 17:38 10,592 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-03 17:38 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-07-01 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:55 --------- d-----w C:\Program Files\Microsoft Windows Small Business Server
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 21:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Logitech
2008-06-11 20:22 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-06-11 20:19 --------- d-----w C:\Program Files\Citrix
2008-06-11 13:38 --------- d-----w C:\Program Files\Setup Files
2008-06-11 13:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-11 13:23 --------- d-----w C:\Program Files\DIFX
2008-06-11 13:20 --------- d-----w C:\Program Files\VIA
2008-06-11 13:13 --------- d-----w C:\Program Files\MSI
2008-06-11 12:43 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-10 21:55 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-10 13:38 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2004-03-17 23:47 151552]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-03 11:09 40960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-07-03 13:39 115560]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 03:12 76304 C:\WINDOWS\KHALMNPR.Exe]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]
"VTTimer"="VTTimer.exe" [2006-08-03 14:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-07-11 02:33 176128 C:\WINDOWS\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16:06 16859136 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GA311 Smart Wizard Utility.lnk - C:\Program Files\NETGEAR GA311 Adapter\GA311.exe [2003-11-06 19:32:30 270336]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-06-10 13:46:06 805392]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-06-10 14:55:03 724992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3390:TCP"= 3390:TCP:*:Disabled:Remote Desktop

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-08-15 02:55]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-09-12 10:43]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-03 13:38]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 11:58]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
C:\WINDOWS\Downloaded Program Files\MSIWDev.inf


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 15:55:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp1c24.tmp
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp3980.tmp

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-08-11 15:58:36
ComboFix-quarantined-files.txt 2008-08-11 19:58:28

Pre-Run: 21,691,617,280 bytes free
Post-Run: 21,778,251,776 bytes free

190 --- E O F --- 2008-07-09 12:16:10

#5 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 12 August 2008 - 02:56 AM

Hello bgedeon,

Can you also post the Combofix report you have?

Please follow my instructions as i post them. I just wanted the previous Combofix report you had.
Do not post it now, since you run Combofix again it's not needed.
----------------------------------------------
I have some questions for you.

S:\SAM Pro << did you download this program?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\Software\..\Telephony: DomainName = iss-svc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5


Do you recognise these lines, are they from your ISP or company network?
----------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Vuze

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------

C:\Documents and Settings\bgedeon\error.bat

Did you or someone else created that file, to fix something on your pc lately?

Please right-click and open it in Notepad, and post the contents back here.
----------------------------------------------
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following Folder: if found, delete the following:

C:\Documents and Settings\All Users\Application Data\PopCap
----------------------------------------------
I see you have Malwarybytes on your pc.

Malwarebytes' Anti-Malware
  • Please update the program.
  • Once the program updated, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Answers to my questions.
A new HijackThis log.
Malwarebytes' Anti-Malware report.
Contents of error.bat
How is the pc behaving now?
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#6 bgedeon

bgedeon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 12 August 2008 - 09:22 AM

Please follow my instructions as i post them. I just wanted the previous Combofix report you had. Do not post it now, since you run Combofix again it's not needed.

Sorry about that. I could not find the old Combofix log even after running a search. :thumbsup:

S:\SAM Pro << did you download this program?

This is a mapped network drive. SAM Pro is the database program used at my company.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\Software\..\Telephony: DomainName = iss-svc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5

All info for my company's network.

Vuse/Azureus has been removed from this computer.

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

These lines do not show up on the HijackThis Scan anymore.

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab]

This line was checked and removed. (I don't need to keep this on the machine anymore, but this is microstar's update program for their motherboards)

C:\Documents and Settings\bgedeon\error.bat
Did you or someone else created that file, to fix something on your pc lately?
Please right-click and open it in Notepad, and post the contents back here.

Contents of file:
@echo off
SLEEP 2
del "%CommonProgramFiles%\Audio\snddrv.exe" /f /q
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v CheckSound /f

I didn't create the file, but I was having a sound issue with this machine after installing SP3 and downloaded and installed the newest drivers from microstar. I was not promoted that any errors occurred though.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following Folder: if found, delete the following:
C:\Documents and Settings\All Users\Application Data\PopCap

This folder has been deleted.

New Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10 AM, on 08/12/08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - [url="http://server1/connectcomputer/nshelp.dll"]http://server1/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213120057696"]http://www.update.microsoft.com/microsoftu...b?1213120057696
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213120050868"]http://www.update.microsoft.com/microsoftu...b?1213120050868
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\Software\..\Telephony: DomainName = iss-svc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 6882 bytes


Here it the log for MBAM:

Malwarebytes' Anti-Malware 1.24
Database version: 1043
Windows 5.1.2600 Service Pack 3

10:04:39 AM 08/12/08
mbam-log-8-12-2008 (10-04-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 88914
Time elapsed: 40 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Since the initally clean up that I did with Combofix and MBAM the machine has been running well. I haven't noticed any lags or unusual behavior.

#7 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 12 August 2008 - 01:25 PM

Hello bgedeon,

Thanks for all the information, very carefully answered. :)

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

When you need to go there it will be downloaded on your pc.
It's ActiveX, so no worries.

C:\Documents and Settings\bgedeon\error.bat
I didn't create the file, but I was having a sound issue with this machine after installing SP3 and downloaded and installed the newest drivers from microstar. I was not promoted that any errors occurred though.

You can keep the file if you need it.
I just wanted to know what it is, in case there was something bad in it.

Since the initally clean up that I did with Combofix and MBAM the machine has been running well. I haven't noticed any lags or unusual behavior.

I suppose it remove all malware on your pc, and only remainants were left for me. :thumbsup:

Please avoid running Combofix, if you have any problems again, post in a forum like this and someone will help you.
Combofix is a very strong tool, it's not adviced to be used without supervision from a trained person.
----------------------------------------------
Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#8 bgedeon

bgedeon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 13 August 2008 - 10:39 AM

I uninstalled Acrobat 8 & installed Acrobat 9 per your suggestion.

Here is the online scan log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 13, 2008 13:27:28
Records in database: 1088968
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\

Scan statistics:
Files scanned: 61610
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:16:12

No malware has been detected. The scan area is clean.

New Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35 AM, on 08/13/08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server1/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213120057696
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213120050868
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\Software\..\Telephony: DomainName = iss-svc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iss-svc.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{093D223B-5F3A-4BC6-B676-EDD0CB0B5804}: NameServer = 192.168.1.5
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 7145 bytes

#9 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 13 August 2008 - 04:28 PM

Hello bgedeon,

Everything looks good.
----------------------------------------------
I can't see any firewall in your HijackThis log, so i assume you use windows firewall.

FIREWALL
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly. It's preferable to install one of the suggested firewalls.
Vista users, must check compatibility with Vista before installation.

FREE FIREWALLS Tutorial about Firewalls can be found here
----------------------------------------------
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Posted Image
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
----------------------------------------------
Congratulations you are clean! :thumbsup:

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing!
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#10 bgedeon

bgedeon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 14 August 2008 - 07:21 AM

Thanks for the help! :thumbsup:

#11 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 14 August 2008 - 11:10 AM

You are welcome :thumbsup:
----------------------------------------------
I'm glad I could help you out! :)
Now that your problem appears to be resolved, this thread will be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users