Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CiD: http://www.adserver5.com* etc. Help?


  • This topic is locked This topic is locked
9 replies to this topic

#1 vict0r

vict0r

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 17 November 2008 - 03:18 PM

Popups + usb and cd-rom malfunctioning!

--------- HiJackThis! logfile -------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32, on 2008-11-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\awServ.exe
C:\Programfiler\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Java\jre1.5.0_05\bin\jusched.exe
C:\Programfiler\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0220Mon.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Ingri\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startguiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ntiMUI] c:\Programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programfiler\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Programfiler\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Live! Cam Manager] C:\Programfiler\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [deleteshow] C:\DOCUME~1\Ingri\PROGRA~1\ACEBIT~1\SURF SOFTWARE SIZE.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ingri\Start-meny\Programmer\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\Empowering Technology\awServ.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Spionprogrambeskyttelse fra Trend Micro (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7037 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 24 November 2008 - 04:09 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Change the Drivers setting from "None" to Non-Microsoft.
  • Under the Additional Scans bar, check:
    *Reg - Disabled MS Config Items
    *Reg - File Associations
    *Reg - Uninstall List

  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)
-C:\ComboFix.txt (if it still exists)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 vict0r

vict0r
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 26 November 2008 - 08:53 AM

ehm... I have used CCleaner and played with !Killbox to remove unwanted stuff and scanned with various scanners.

I installed and removed logmein to access the computer while I was away.

I can't remember anything else.

It was done before your post, sorry.


Hijackthis reported this one prior to starting the topic:
C:\Documents and Settings\All Users\Programdata\Joy coal mpeg heck\MODE NEW.exe
It still exists on my system (yes I tried !Killbox)

I can't find Lieslisttrust.exe anymore! :s

Still no cd-rom or USB! (at least cd-rom works in safe mode).


gmer log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-26 13:12:03
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys (Trend Micro Malicious Behavior Detector (i386-fre)/Trend Micro Inc.) ZwClose [0xAA192CE0]
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys (Trend Micro Malicious Behavior Detector (i386-fre)/Trend Micro Inc.) ZwConnectPort [0xAA192FB0]
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys (Trend Micro Malicious Behavior Detector (i386-fre)/Trend Micro Inc.) ZwCreateProcess [0xAA192310]
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys (Trend Micro Malicious Behavior Detector (i386-fre)/Trend Micro Inc.) ZwCreateProcessEx [0xAA1925E0]
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys (Trend Micro Malicious Behavior Detector (i386-fre)/Trend Micro Inc.) ZwOpenProcess [0xAA192840]
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys (Trend Micro Malicious Behavior Detector (i386-fre)/Trend Micro Inc.) ZwRequestWaitReplyPort [0xAA193150]
SSDT \SystemRoot\system32\DRIVERS\tm_mbd_c.sys (Trend Micro Malicious Behavior Detector (i386-fre)/Trend Micro Inc.) ZwWriteVirtualMemory [0xAA192E80]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FE2 80503DB6 2 Bytes [ 19, AA ]

---- User code sections - GMER 1.0.14 ----

.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!LoadResource 7C809FB5 7 Bytes JMP 28001CC0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!FindResourceExW 7C80AC88 7 Bytes JMP 28001B00 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!FindResourceW 7C80BBCE 7 Bytes JMP 28001A80 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!SizeofResource 7C80BC69 7 Bytes JMP 28001D80 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!FindResourceA 7C80BE89 7 Bytes JMP 28001B90 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!LockResource 7C80CC97 5 Bytes JMP 28001DF0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!CreateEventA 7C8308AD 5 Bytes JMP 28001840 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!FindResourceExA 7C835F78 7 Bytes JMP 28001C20 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Programfiler\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] kernel32.dll!OutputDebugStringW 7C85A42D 5 Bytes JMP 28001E50 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] ADVAPI32.dll!CryptDeriveKey 77DDA685 7 Bytes JMP 28001000 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] ADVAPI32.dll!CryptDecrypt 77DDA7B1 2 Bytes JMP 28001060 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] ADVAPI32.dll!CryptDecrypt + 3 77DDA7B4 4 Bytes [ 22, B0, CC, CC ]
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 280040D0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 28003860 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] USER32.dll!SetWindowRgn 7E41FFB2 7 Bytes JMP 280059B0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] USER32.dll!LoadIconW 7E420894 5 Bytes JMP 280062E0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] USER32.dll!LoadImageW 7E422CFE 5 Bytes JMP 280060F0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] USER32.dll!CreateDialogParamW 7E427D4F 5 Bytes JMP 28005AF0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] USER32.dll!SetWindowPlacement 7E42D84C 5 Bytes JMP 28005870 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 28005CE0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] USER32.dll!TrackPopupMenuEx 7E46CD28 5 Bytes JMP 280049B0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] WS2_32.dll!send 71AA428A 5 Bytes JMP 2800A210 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] WS2_32.dll!WSARecv 71AA4318 5 Bytes JMP 28009FF0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] WS2_32.dll!recv 71AA615A 5 Bytes JMP 28009E50 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] WS2_32.dll!WSASend 71AA6233 5 Bytes JMP 2800A3F0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 2800A630 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] SHELL32.dll!Shell_NotifyIconW 7CA261F5 5 Bytes JMP 28003020 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] ole32.dll!CoInitializeEx 774EEF6B 5 Bytes JMP 28002100 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] ole32.dll!CoRegisterClassObject 77508720 5 Bytes JMP 28002200 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] WININET.dll!InternetCloseHandle 4447DA59 5 Bytes JMP 28008FA0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] WININET.dll!HttpOpenRequestA 44484341 5 Bytes JMP 28008C60 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] WININET.dll!InternetReadFile 4448ABB4 5 Bytes JMP 28008DF0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[1000] WININET.dll!HttpSendRequestA 4448CD40 5 Bytes JMP 28008ED0 C:\Programfiler\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Fastfat \Fat tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- EOF - GMER 1.0.14 ----

Attached Files


Edited by vict0r, 26 November 2008 - 08:56 AM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 26 November 2008 - 12:03 PM

Hello.

Your Messenger Plus! was bundled with Cid:
"Messenger Plus! Live & Sponsor (CiD)"

Please uninstall it.

Run Fix with OTScanIt
We will run OTScanIt again, but the directions are slightly different. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Files/Folders - Created Within 30 days]
    NY -> vcmgcd32.dll -> %SystemRoot%\System32\vcmgcd32.dll
    NY -> iifgfgf.dll -> %SystemRoot%\System32\iifgfgf.dll
    NY -> systems.txt -> %SystemRoot%\System32\systems.txt
    NY -> eEmpty.exe -> %SystemRoot%\System32\eEmpty.exe
    NY -> nb-no -> %SystemRoot%\System32\nb-no
    NY -> WBEM -> %SystemRoot%\WBEM
    NY -> BDOSCAN8 -> %SystemRoot%\BDOSCAN8
    NY -> rundl132.dll -> %SystemRoot%\rundl132.dll
    NY -> logo1_.exe -> %SystemRoot%\logo1_.exe
    NY -> zts2.exe -> %SystemRoot%\zts2.exe
    NY -> rundll16.exe -> %SystemRoot%\rundll16.exe
    NY -> A945FDAA90AE721A.job -> %SystemRoot%\tasks\A945FDAA90AE721A.job
    [Extra Files]
    C:\Documents and Settings\All Users\Programdata\Joy coal mpeg heck\
    [Empty Temp Folders]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Download and Run Lop S&D
You can find a detailed instructions with visuals here:
http://eric.71.mespages.googlepages.com/lop.sd.en
  • Disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please download Lop S&D by Eric_71 to your desktop, if you have not already or you lost your copy.
  • Double click LopSD.exe to run it. If you are using Windows Vista, right-click on LopSD.exe icon and select Run as administrator.
  • Choose the language by typing of the corresponding letter and pressing Enter.
  • Click OK at the prompt.
  • At this point, close all windows.
  • Type 1 followed by Enter to selection option "1 - Search".
  • When the scan is finished, a report (C:\lopR.txt) will be generated, post the contents of it in your next reply.
Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Please post back with:
-the OTScanIt fix log
-the Lop S&D log
-a new OTScanit log (leave settings at default, attached) (do this last)

With Regards,
The Panda

#5 vict0r

vict0r
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 26 November 2008 - 03:32 PM

Well... Avast came up with a few infections and some error messages in the scan before Windows XP started.

I really feel the need of a second scan. Do you know how?


OTScanIt fix-log:

[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\vcmgcd32.dll folder moved successfully.
C:\WINDOWS\System32\iifgfgf.dll folder moved successfully.
C:\WINDOWS\System32\systems.txt folder moved successfully.
C:\WINDOWS\System32\eEmpty.exe moved successfully.
C:\WINDOWS\System32\nb-no folder moved successfully.
C:\WINDOWS\WBEM folder moved successfully.
C:\WINDOWS\BDOSCAN8 folder moved successfully.
C:\WINDOWS\rundl132.dll folder moved successfully.
C:\WINDOWS\logo1_.exe folder moved successfully.
C:\WINDOWS\zts2.exe folder moved successfully.
C:\WINDOWS\rundll16.exe folder moved successfully.
C:\WINDOWS\tasks\A945FDAA90AE721A.job moved successfully.
[Extra Files]
< C:\Documents and Settings\All Users\Programdata\Joy coal mpeg heck\ >
C:\Documents and Settings\All Users\Programdata\Joy coal mpeg heck folder moved successfully.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11262008_185441

---------------------------------------------------------------------


Lop S&D log:


--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel® Pentium® D CPU 2.80GHz )
BIOS : Phoenix - AwardBIOS v6.00PG
USER : Ingri ( Administrator )
BOOT : Normal boot
Antivirus : Trend Micro PC-cillin Internet Security 2007 15.30.1234 (Not Activated)
Firewall : Trend Micro PC-cillin Internet Security 15 (Activated)
C:\ (Local Disk) - FAT32 - Total:35 Go (Free:10 Go)
D:\ (Local Disk) - FAT32 - Total:35 Go (Free:32 Go)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( 26.11.2008|19:01 )

--------------------\\ Listing folders in PROGRA~1

[18.11.2005|17:57] C:\DOCUME~1\DEFAUL~1\PROGRA~1\Identities
[18.11.2005|17:42] C:\DOCUME~1\DEFAUL~1\PROGRA~1\Microsoft
[18.11.2005|18:05] C:\DOCUME~1\DEFAUL~1\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\DEFAUL~1\PROGRA~1\byte
[5|mappe®] C:\DOCUME~1\DEFAUL~1\PROGRA~1\byte ledig

[18.11.2005|18:02] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Adobe
[09.01.2008|17:28] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple
[21.08.2007|15:25] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple Computer
[13.08.2007|10:58] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Avocent AdminWorks
[25.11.2008|22:10] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Blizzard
[16.10.2007|16:18] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Creative
[12.01.2008|14:39] C:\DOCUME~1\ALLUSE~1\PROGRA~1\CyberLink
[21.09.2008|13:00] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Google
[17.11.2008|19:18] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Lavasoft
[17.11.2008|20:31] C:\DOCUME~1\ALLUSE~1\PROGRA~1\LogMeIn
[07.09.2008|21:25] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Malwarebytes
[18.11.2005|17:42] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Microsoft
[18.11.2008|15:22] C:\DOCUME~1\ALLUSE~1\PROGRA~1\MicroWorld
[17.11.2008|19:57] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Spybot - Search & Destroy
[18.11.2005|18:05] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Symantec
[13.08.2007|11:18] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Trend Micro
[17.11.2008|18:22] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Windows Genuine Advantage
[21.08.2007|22:16] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Windows Live Toolbar
[22.02.2008|23:47] C:\DOCUME~1\ALLUSE~1\PROGRA~1\WLInstaller
[13.08.2007|11:04] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Yahoo! Companion
[0|fil(er)] C:\DOCUME~1\ALLUSE~1\PROGRA~1\byte
[22|mappe®] C:\DOCUME~1\ALLUSE~1\PROGRA~1\byte ledig

[18.11.2005|17:42] C:\DOCUME~1\NETWOR~1\PROGRA~1\Microsoft
[0|fil(er)] C:\DOCUME~1\NETWOR~1\PROGRA~1\byte
[3|mappe®] C:\DOCUME~1\NETWOR~1\PROGRA~1\byte ledig

[18.11.2005|17:42] C:\DOCUME~1\LOCALS~1\PROGRA~1\Microsoft
[0|fil(er)] C:\DOCUME~1\LOCALS~1\PROGRA~1\byte
[3|mappe®] C:\DOCUME~1\LOCALS~1\PROGRA~1\byte ledig

[18.11.2005|17:57] C:\DOCUME~1\ADMINI~1\PROGRA~1\Identities
[18.11.2005|17:42] C:\DOCUME~1\ADMINI~1\PROGRA~1\Microsoft
[18.11.2005|18:05] C:\DOCUME~1\ADMINI~1\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\ADMINI~1\PROGRA~1\byte
[5|mappe®] C:\DOCUME~1\ADMINI~1\PROGRA~1\byte ledig

[11.11.2008|22:02] C:\DOCUME~1\INGRI\PROGRA~1\acebitssite
[13.08.2007|11:02] C:\DOCUME~1\INGRI\PROGRA~1\Acer
[19.02.2008|02:51] C:\DOCUME~1\INGRI\PROGRA~1\Adobe
[21.08.2007|15:26] C:\DOCUME~1\INGRI\PROGRA~1\Apple Computer
[13.08.2007|10:58] C:\DOCUME~1\INGRI\PROGRA~1\Avocent AdminWorks
[11.09.2007|14:09] C:\DOCUME~1\INGRI\PROGRA~1\Creative
[12.01.2008|14:40] C:\DOCUME~1\INGRI\PROGRA~1\CyberLink
[21.09.2008|13:10] C:\DOCUME~1\INGRI\PROGRA~1\Google
[18.11.2005|17:57] C:\DOCUME~1\INGRI\PROGRA~1\Identities
[21.08.2007|15:12] C:\DOCUME~1\INGRI\PROGRA~1\LimeWire
[21.08.2007|15:19] C:\DOCUME~1\INGRI\PROGRA~1\Macromedia
[07.09.2008|21:26] C:\DOCUME~1\INGRI\PROGRA~1\Malwarebytes
[18.11.2005|17:42] C:\DOCUME~1\INGRI\PROGRA~1\Microsoft
[15.06.2008|21:47] C:\DOCUME~1\INGRI\PROGRA~1\Moyea
[24.11.2008|17:15] C:\DOCUME~1\INGRI\PROGRA~1\Sun
[18.11.2005|18:05] C:\DOCUME~1\INGRI\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\INGRI\PROGRA~1\byte
[18|mappe®] C:\DOCUME~1\INGRI\PROGRA~1\byte ledig

[18.11.2005|17:57] C:\DOCUME~1\INGRI^~1\PROGRA~1\Identities
[18.11.2005|17:42] C:\DOCUME~1\INGRI^~1\PROGRA~1\Microsoft
[18.11.2005|18:05] C:\DOCUME~1\INGRI^~1\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\INGRI^~1\PROGRA~1\byte
[5|mappe®] C:\DOCUME~1\INGRI^~1\PROGRA~1\byte ledig

[03.10.2008|12:26] C:\DOCUME~1\A-CHAN\PROGRA~1\Adobe
[03.10.2008|12:27] C:\DOCUME~1\A-CHAN\PROGRA~1\Google
[18.11.2005|17:57] C:\DOCUME~1\A-CHAN\PROGRA~1\Identities
[18.11.2005|17:42] C:\DOCUME~1\A-CHAN\PROGRA~1\Microsoft
[18.11.2005|18:05] C:\DOCUME~1\A-CHAN\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\A-CHAN\PROGRA~1\byte
[7|mappe®] C:\DOCUME~1\A-CHAN\PROGRA~1\byte ledig

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[30.10.2008 21:27][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[26.11.2008 18:46][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04.08.2004 20:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Programfiler

[13.08.2007|11:28] C:\Programfiler\3COM
[11.11.2008|22:02] C:\Programfiler\acebitssite
[13.08.2007|11:00] C:\Programfiler\Acer
[18.11.2005|18:02] C:\Programfiler\Adobe
[15.06.2008|21:53] C:\Programfiler\Allok MPEG4 Converter
[03.09.2008|15:00] C:\Programfiler\Apple Software Update
[16.09.2008|18:08] C:\Programfiler\Bonjour
[18.11.2005|17:46] C:\Programfiler\ComPlus Applications
[11.09.2007|13:58] C:\Programfiler\Creative
[18.11.2005|18:03] C:\Programfiler\CyberLink
[18.11.2005|17:47] C:\Programfiler\Elektroniske tjenester
[18.11.2005|17:42] C:\Programfiler\Fellesfiler
[21.09.2008|13:00] C:\Programfiler\Google
[18.11.2005|17:57] C:\Programfiler\InstallShield Installation Information
[18.11.2005|17:55] C:\Programfiler\Intel
[18.11.2005|17:47] C:\Programfiler\Internet Explorer
[06.02.2008|16:47] C:\Programfiler\iPod
[06.02.2008|16:47] C:\Programfiler\iTunes
[18.11.2005|18:08] C:\Programfiler\Java
[17.11.2008|19:18] C:\Programfiler\Lavasoft
[21.08.2007|15:12] C:\Programfiler\LimeWire
[07.09.2008|21:25] C:\Programfiler\Malwarebytes' Anti-Malware
[18.11.2005|17:46] C:\Programfiler\Messenger
[03.09.2007|22:42] C:\Programfiler\Microsoft CAPICOM 2.1.0.2
[18.11.2005|17:48] C:\Programfiler\microsoft frontpage
[13.08.2007|11:31] C:\Programfiler\Microsoft Office
[13.08.2007|11:32] C:\Programfiler\Microsoft Visual Studio
[13.08.2007|11:32] C:\Programfiler\Microsoft Works
[13.08.2007|11:31] C:\Programfiler\Microsoft.NET
[18.11.2005|17:47] C:\Programfiler\Movie Maker
[16.06.2008|07:08] C:\Programfiler\MSECACHE
[18.11.2005|17:46] C:\Programfiler\MSN Gaming Zone
[21.08.2007|22:15] C:\Programfiler\MSN Messenger
[18.11.2005|17:47] C:\Programfiler\NetMeeting
[18.11.2005|18:04] C:\Programfiler\NewTech Infosystems
[18.11.2005|17:47] C:\Programfiler\Outlook Express
[07.09.2008|20:04] C:\Programfiler\Panda Security
[06.02.2008|16:42] C:\Programfiler\QuickTime
[18.11.2005|17:57] C:\Programfiler\Realtek
[03.09.2008|15:07] C:\Programfiler\Safari
[11.09.2007|14:01] C:\Programfiler\SightSpeed
[17.11.2008|19:57] C:\Programfiler\Spybot - Search & Destroy
[13.08.2007|11:18] C:\Programfiler\Trend Micro
[18.11.2005|17:57] C:\Programfiler\Uninstall Information
[21.02.2008|13:58] C:\Programfiler\VideoLAN
[16.06.2008|07:08] C:\Programfiler\Windows Installer Clean Up
[22.02.2008|23:47] C:\Programfiler\Windows Live
[18.11.2008|14:48] C:\Programfiler\Windows Live Safety Center
[21.08.2007|22:16] C:\Programfiler\Windows Live Toolbar
[18.11.2005|17:46] C:\Programfiler\Windows Media Player
[18.11.2005|17:46] C:\Programfiler\Windows NT
[18.11.2005|17:47] C:\Programfiler\WindowsUpdate
[18.11.2005|17:48] C:\Programfiler\xerox
[13.08.2007|11:01] C:\Programfiler\Yahoo!
[0|fil(er)] C:\Programfiler\byte
[56|mappe®] C:\Programfiler\byte ledig

--------------------\\ Listing Folders in C:\Programfiler\Fellesfiler

[18.11.2005|18:02] C:\Programfiler\Fellesfiler\Adobe
[09.01.2008|18:04] C:\Programfiler\Fellesfiler\Apple
[11.01.2008|20:55] C:\Programfiler\Fellesfiler\Blizzard Entertainment
[13.08.2007|11:32] C:\Programfiler\Fellesfiler\DESIGNER
[18.11.2005|17:57] C:\Programfiler\Fellesfiler\InstallShield
[18.11.2005|17:42] C:\Programfiler\Fellesfiler\Microsoft Shared
[18.11.2005|17:47] C:\Programfiler\Fellesfiler\MSSoap
[18.11.2005|18:04] C:\Programfiler\Fellesfiler\muvee Technologies
[18.11.2005|18:04] C:\Programfiler\Fellesfiler\NewTech Infosystems
[18.11.2005|17:42] C:\Programfiler\Fellesfiler\ODBC
[18.11.2005|17:42] C:\Programfiler\Fellesfiler\SpeechEngines
[18.11.2005|17:47] C:\Programfiler\Fellesfiler\System
[18.11.2005|17:47] C:\Programfiler\Fellesfiler\Tjenester
[22.02.2008|23:47] C:\Programfiler\Fellesfiler\WindowsLiveInstaller
[17.11.2008|19:17] C:\Programfiler\Fellesfiler\Wise Installation Wizard
[0|fil(er)] C:\Programfiler\Fellesfiler\byte
[17|mappe®] C:\Programfiler\Fellesfiler\byte ledig

--------------------\\ Process

( 36 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\INGRI\PROGRA~1\acebitssite
C:\Programfiler\acebitssite

--------------------\\ Searching within the Registry

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 19:02:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\INGRI\Favoritter\YouTube\YouTube - Cracking Contraptions - The Turbo Diner.url


[F:7][D:0]-> C:\DOCUME~1\Ingri\Cookies
[F:227][D:8]-> C:\DOCUME~1\Ingri\LOKALE~1\TEMPOR~1\content.IE5
[F:2][D:0]-> C:\Recycled

1 - "C:\Lop SD\LopR_1.txt" - 26.11.2008|19:02 - Option : [1]

--------------------\\ Scan completed at 19:02:49

Attached Files



#6 vict0r

vict0r
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 26 November 2008 - 04:47 PM

Scanning for the second time now (boot-time).

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 26 November 2008 - 05:40 PM

Hello vict0r.

Looks much better :thumbsup: .

Run Lop S&D Option 3
You can find a detailed instructions with visuals here:
http://eric.71.mespages.googlepages.com/lop.sd.en
  • Disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please download Lop S&D by Eric_71 to your desktop, if you have not already or you lost your copy.
  • Double click LopSD.exe to run it. If you are using Windows Vista, right-click on LopSD.exe icon and select Run as administrator.
  • Choose the language by typing of the corresponding letter and pressing Enter.
  • Click OK at the prompt.
  • At this point, close all windows.
  • Type 3 followed by Enter to selection option "3 - Fix - Hosts".
  • When the scan is finished, a report (C:\lopR.txt) will be generated, post the contents of it in your next reply.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please post back with:
-the Lop S&D fix log
-the Kaspersky scan log
-a new HijackThis log

How is your computer running now?

With Regards,
The Panda

#8 vict0r

vict0r
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 27 November 2008 - 10:50 AM

The Kaspersky scan came up with nothing.

The computer is running fine, no popups and is fast (it was never slow), exept my cd-rom and usb are not functional. I just tested again: they work in safe mode!

The Avast boot time scan log tells me (translated by me into english):

File C:\WINDOWS\system\RCDSETUP.EXE\%SYS%\OCXSETUP.WS4 Error 42146 {Corrupted installationarchive.}
File C:\System Volume Information\_restore{6687EBE7-080A-4649-ACCC-0296229585DF}\RP38\A0007671.exe is infected with Win32:Swizzor-N [Trj], Deleted
File C:\hiberfil.sys is infected with Win32:Agent-MYC [Trj], Repair: Error 42060 {File not repaired.}, Move to chest: Error 0xC000007F {Operation failed, not enough space on disk.}, Delete: Error 0xC0000022 {No access.}, Move: Error 0xC0000022 {No access.}

Free space on disk: 11Gb! I had to ignore hiberfile.sys as any attemt to clean (repair, move to chest, move and delete) failed.


Lop S&D log:

--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel® Pentium® D CPU 2.80GHz )
BIOS : Phoenix - AwardBIOS v6.00PG
USER : Ingri ( Administrator )
BOOT : Normal boot
Antivirus : Trend Micro PC-cillin Internet Security 2007 15.30.1234 (Not Activated)
Firewall : Trend Micro PC-cillin Internet Security 15 (Activated)
C:\ (Local Disk) - FAT32 - Total:35 Go (Free:10 Go)
D:\ (Local Disk) - FAT32 - Total:35 Go (Free:32 Go)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [3] ( 27.11.2008|13:54 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX

Deleted! - C:\DOCUME~1\INGRI\PROGRA~1\acebitssite
Deleted! - C:\Programfiler\acebitssite

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in PROGRA~1

[18.11.2005|17:57] C:\DOCUME~1\DEFAUL~1\PROGRA~1\Identities
[18.11.2005|17:42] C:\DOCUME~1\DEFAUL~1\PROGRA~1\Microsoft
[18.11.2005|18:05] C:\DOCUME~1\DEFAUL~1\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\DEFAUL~1\PROGRA~1\byte
[5|mappe®] C:\DOCUME~1\DEFAUL~1\PROGRA~1\byte ledig

[18.11.2005|18:02] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Adobe
[09.01.2008|17:28] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple
[21.08.2007|15:25] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple Computer
[13.08.2007|10:58] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Avocent AdminWorks
[25.11.2008|22:10] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Blizzard
[16.10.2007|16:18] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Creative
[12.01.2008|14:39] C:\DOCUME~1\ALLUSE~1\PROGRA~1\CyberLink
[21.09.2008|13:00] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Google
[17.11.2008|19:18] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Lavasoft
[17.11.2008|20:31] C:\DOCUME~1\ALLUSE~1\PROGRA~1\LogMeIn
[07.09.2008|21:25] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Malwarebytes
[18.11.2005|17:42] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Microsoft
[18.11.2008|15:22] C:\DOCUME~1\ALLUSE~1\PROGRA~1\MicroWorld
[17.11.2008|19:57] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Spybot - Search & Destroy
[18.11.2005|18:05] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Symantec
[13.08.2007|11:18] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Trend Micro
[17.11.2008|18:22] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Windows Genuine Advantage
[21.08.2007|22:16] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Windows Live Toolbar
[22.02.2008|23:47] C:\DOCUME~1\ALLUSE~1\PROGRA~1\WLInstaller
[13.08.2007|11:04] C:\DOCUME~1\ALLUSE~1\PROGRA~1\Yahoo! Companion
[0|fil(er)] C:\DOCUME~1\ALLUSE~1\PROGRA~1\byte
[22|mappe®] C:\DOCUME~1\ALLUSE~1\PROGRA~1\byte ledig

[18.11.2005|17:42] C:\DOCUME~1\NETWOR~1\PROGRA~1\Microsoft
[0|fil(er)] C:\DOCUME~1\NETWOR~1\PROGRA~1\byte
[3|mappe®] C:\DOCUME~1\NETWOR~1\PROGRA~1\byte ledig

[18.11.2005|17:42] C:\DOCUME~1\LOCALS~1\PROGRA~1\Microsoft
[0|fil(er)] C:\DOCUME~1\LOCALS~1\PROGRA~1\byte
[3|mappe®] C:\DOCUME~1\LOCALS~1\PROGRA~1\byte ledig

[18.11.2005|17:57] C:\DOCUME~1\ADMINI~1\PROGRA~1\Identities
[18.11.2005|17:42] C:\DOCUME~1\ADMINI~1\PROGRA~1\Microsoft
[18.11.2005|18:05] C:\DOCUME~1\ADMINI~1\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\ADMINI~1\PROGRA~1\byte
[5|mappe®] C:\DOCUME~1\ADMINI~1\PROGRA~1\byte ledig

[13.08.2007|11:02] C:\DOCUME~1\INGRI\PROGRA~1\Acer
[19.02.2008|02:51] C:\DOCUME~1\INGRI\PROGRA~1\Adobe
[21.08.2007|15:26] C:\DOCUME~1\INGRI\PROGRA~1\Apple Computer
[13.08.2007|10:58] C:\DOCUME~1\INGRI\PROGRA~1\Avocent AdminWorks
[11.09.2007|14:09] C:\DOCUME~1\INGRI\PROGRA~1\Creative
[12.01.2008|14:40] C:\DOCUME~1\INGRI\PROGRA~1\CyberLink
[21.09.2008|13:10] C:\DOCUME~1\INGRI\PROGRA~1\Google
[18.11.2005|17:57] C:\DOCUME~1\INGRI\PROGRA~1\Identities
[21.08.2007|15:12] C:\DOCUME~1\INGRI\PROGRA~1\LimeWire
[21.08.2007|15:19] C:\DOCUME~1\INGRI\PROGRA~1\Macromedia
[07.09.2008|21:26] C:\DOCUME~1\INGRI\PROGRA~1\Malwarebytes
[18.11.2005|17:42] C:\DOCUME~1\INGRI\PROGRA~1\Microsoft
[15.06.2008|21:47] C:\DOCUME~1\INGRI\PROGRA~1\Moyea
[24.11.2008|17:15] C:\DOCUME~1\INGRI\PROGRA~1\Sun
[18.11.2005|18:05] C:\DOCUME~1\INGRI\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\INGRI\PROGRA~1\byte
[17|mappe®] C:\DOCUME~1\INGRI\PROGRA~1\byte ledig

[18.11.2005|17:57] C:\DOCUME~1\INGRI^~1\PROGRA~1\Identities
[18.11.2005|17:42] C:\DOCUME~1\INGRI^~1\PROGRA~1\Microsoft
[18.11.2005|18:05] C:\DOCUME~1\INGRI^~1\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\INGRI^~1\PROGRA~1\byte
[5|mappe®] C:\DOCUME~1\INGRI^~1\PROGRA~1\byte ledig

[03.10.2008|12:26] C:\DOCUME~1\A-CHAN\PROGRA~1\Adobe
[03.10.2008|12:27] C:\DOCUME~1\A-CHAN\PROGRA~1\Google
[18.11.2005|17:57] C:\DOCUME~1\A-CHAN\PROGRA~1\Identities
[18.11.2005|17:42] C:\DOCUME~1\A-CHAN\PROGRA~1\Microsoft
[18.11.2005|18:05] C:\DOCUME~1\A-CHAN\PROGRA~1\Symantec
[0|fil(er)] C:\DOCUME~1\A-CHAN\PROGRA~1\byte
[7|mappe®] C:\DOCUME~1\A-CHAN\PROGRA~1\byte ledig

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[30.10.2008 21:27][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[27.11.2008 13:46][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04.08.2004 20:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Programfiler

[13.08.2007|11:28] C:\Programfiler\3COM
[13.08.2007|11:00] C:\Programfiler\Acer
[18.11.2005|18:02] C:\Programfiler\Adobe
[15.06.2008|21:53] C:\Programfiler\Allok MPEG4 Converter
[26.11.2008|19:37] C:\Programfiler\Alwil Software
[03.09.2008|15:00] C:\Programfiler\Apple Software Update
[16.09.2008|18:08] C:\Programfiler\Bonjour
[18.11.2005|17:46] C:\Programfiler\ComPlus Applications
[11.09.2007|13:58] C:\Programfiler\Creative
[18.11.2005|18:03] C:\Programfiler\CyberLink
[18.11.2005|17:47] C:\Programfiler\Elektroniske tjenester
[18.11.2005|17:42] C:\Programfiler\Fellesfiler
[21.09.2008|13:00] C:\Programfiler\Google
[18.11.2005|17:57] C:\Programfiler\InstallShield Installation Information
[18.11.2005|17:55] C:\Programfiler\Intel
[18.11.2005|17:47] C:\Programfiler\Internet Explorer
[06.02.2008|16:47] C:\Programfiler\iPod
[06.02.2008|16:47] C:\Programfiler\iTunes
[18.11.2005|18:08] C:\Programfiler\Java
[17.11.2008|19:18] C:\Programfiler\Lavasoft
[21.08.2007|15:12] C:\Programfiler\LimeWire
[07.09.2008|21:25] C:\Programfiler\Malwarebytes' Anti-Malware
[18.11.2005|17:46] C:\Programfiler\Messenger
[03.09.2007|22:42] C:\Programfiler\Microsoft CAPICOM 2.1.0.2
[18.11.2005|17:48] C:\Programfiler\microsoft frontpage
[13.08.2007|11:31] C:\Programfiler\Microsoft Office
[13.08.2007|11:32] C:\Programfiler\Microsoft Visual Studio
[13.08.2007|11:32] C:\Programfiler\Microsoft Works
[13.08.2007|11:31] C:\Programfiler\Microsoft.NET
[18.11.2005|17:47] C:\Programfiler\Movie Maker
[16.06.2008|07:08] C:\Programfiler\MSECACHE
[18.11.2005|17:46] C:\Programfiler\MSN Gaming Zone
[21.08.2007|22:15] C:\Programfiler\MSN Messenger
[18.11.2005|17:47] C:\Programfiler\NetMeeting
[18.11.2005|18:04] C:\Programfiler\NewTech Infosystems
[18.11.2005|17:47] C:\Programfiler\Outlook Express
[07.09.2008|20:04] C:\Programfiler\Panda Security
[06.02.2008|16:42] C:\Programfiler\QuickTime
[18.11.2005|17:57] C:\Programfiler\Realtek
[03.09.2008|15:07] C:\Programfiler\Safari
[11.09.2007|14:01] C:\Programfiler\SightSpeed
[17.11.2008|19:57] C:\Programfiler\Spybot - Search & Destroy
[13.08.2007|11:18] C:\Programfiler\Trend Micro
[18.11.2005|17:57] C:\Programfiler\Uninstall Information
[21.02.2008|13:58] C:\Programfiler\VideoLAN
[16.06.2008|07:08] C:\Programfiler\Windows Installer Clean Up
[22.02.2008|23:47] C:\Programfiler\Windows Live
[18.11.2008|14:48] C:\Programfiler\Windows Live Safety Center
[21.08.2007|22:16] C:\Programfiler\Windows Live Toolbar
[18.11.2005|17:46] C:\Programfiler\Windows Media Player
[18.11.2005|17:46] C:\Programfiler\Windows NT
[18.11.2005|17:47] C:\Programfiler\WindowsUpdate
[18.11.2005|17:48] C:\Programfiler\xerox
[13.08.2007|11:01] C:\Programfiler\Yahoo!
[0|fil(er)] C:\Programfiler\byte
[56|mappe®] C:\Programfiler\byte ledig

--------------------\\ Listing Folders in C:\Programfiler\Fellesfiler

[18.11.2005|18:02] C:\Programfiler\Fellesfiler\Adobe
[09.01.2008|18:04] C:\Programfiler\Fellesfiler\Apple
[11.01.2008|20:55] C:\Programfiler\Fellesfiler\Blizzard Entertainment
[13.08.2007|11:32] C:\Programfiler\Fellesfiler\DESIGNER
[18.11.2005|17:57] C:\Programfiler\Fellesfiler\InstallShield
[18.11.2005|17:42] C:\Programfiler\Fellesfiler\Microsoft Shared
[18.11.2005|17:47] C:\Programfiler\Fellesfiler\MSSoap
[18.11.2005|18:04] C:\Programfiler\Fellesfiler\muvee Technologies
[18.11.2005|18:04] C:\Programfiler\Fellesfiler\NewTech Infosystems
[18.11.2005|17:42] C:\Programfiler\Fellesfiler\ODBC
[18.11.2005|17:42] C:\Programfiler\Fellesfiler\SpeechEngines
[18.11.2005|17:47] C:\Programfiler\Fellesfiler\System
[18.11.2005|17:47] C:\Programfiler\Fellesfiler\Tjenester
[22.02.2008|23:47] C:\Programfiler\Fellesfiler\WindowsLiveInstaller
[17.11.2008|19:17] C:\Programfiler\Fellesfiler\Wise Installation Wizard
[0|fil(er)] C:\Programfiler\Fellesfiler\byte
[17|mappe®] C:\Programfiler\Fellesfiler\byte ledig

--------------------\\ Process

( 39 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 13:55:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\INGRI\Favoritter\YouTube\YouTube - Cracking Contraptions - The Turbo Diner.url


[F:18][D:0]-> C:\DOCUME~1\Ingri\Cookies
[F:753][D:8]-> C:\DOCUME~1\Ingri\LOKALE~1\TEMPOR~1\content.IE5
[F:2][D:0]-> C:\Recycled

1 - "C:\Lop SD\LopR_1.txt" - 26.11.2008|19:02 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - 27.11.2008|13:56 - Option : [3]

--------------------\\ Scan completed at 13:56:26


Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, November 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 27, 2008 10:02:49
Records in database: 1420817
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 58164
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:56:30

No malware has been detected. The scan area is clean.

The selected area was scanned.


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02:55, on 27.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\awServ.exe
C:\Programfiler\Bonjour\mDNSResponder.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Programfiler\Trend Micro\Internet Security 2007\pccguide.exe
C:\Programfiler\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0220Mon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Java\jre6\bin\jqs.exe
C:\Programfiler\internet explorer\iexplore.exe
C:\Documents and Settings\Ingri\Skrivebord\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programfiler\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programfiler\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ntiMUI] c:\Programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programfiler\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Programfiler\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Live! Cam Manager] C:\Programfiler\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\Empowering Technology\awServ.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programfiler\Java\jre6\bin\jqs.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Spionprogrambeskyttelse fra Trend Micro (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7294 bytes

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 27 November 2008 - 11:47 AM

Hello.

Does your Trend Micro Internet Security include an antivirus? if so, please uninstall that, or Avast! otherwise, they are fine to keep.

C:\hiberfil.sys is the space used by Windows for the hibernate feature. Looks like a false positive.

I don't think the CD drive and USB problem is malware related. You might want to post in the Windows XP Forum about that after.

Set New System Restore Point
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked "Create a Restore Point" on the first screen then click Next. Give the R.P. a name then click Create. The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type:
    cleanmgr
  • Click OK.
  • Click the More Options Tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: Visit the Windows Update Site regularly.
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
    Note that it will download them for you, but you still have to actually click install.
    If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates separately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

For general slowness problems, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 30 November 2008 - 10:09 AM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users