Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack This - likely trojan


  • This topic is locked This topic is locked
12 replies to this topic

#1 captaininternet

captaininternet

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 30 November 2008 - 12:46 PM

I run a video converter from xilisoft.com which suddenly stopped working. Web research shows that usually happens as a result of trojan. I've had several virus' in the past months, so I don't doubt it. But I cannot for the life of me, figure out where it is lurking!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:31 AM, on 11/30/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Artificial Dynamics\SafeSpace\LauncherService.exe
C:\Program Files\Artificial Dynamics\SafeSpace\SafeSpace_Agent.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O13 - Gopher Prefix:
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: AS_WAVEHook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Artificial Dynamics SafeSpace Agent - Unknown owner - C:\Program Files\Artificial Dynamics\SafeSpace\SafeSpace_Agent.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: Artificial Dynamics WAVE Launcher Service (Wave Launcher Service) - Artificial Dynamics Ltd. - C:\Program Files\Artificial Dynamics\SafeSpace\LauncherService.exe

--
End of file - 8206 bytes

BC AdBot (Login to Remove)

 


#2 captaininternet

captaininternet
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 30 November 2008 - 02:47 PM

I doubt mIRC is the cause of anything, seeing as I've had that ancient thing for years.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 30, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 30, 2008 15:30:13
Records in database: 1428563
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Program Files
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\Default.Default-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows

Scan statistics:
Files scanned: 81827
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:48:51


File name / Threat name / Threats count
C:\Program Files\mirc\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.56 1

The selected area was scanned.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:38 PM

Posted 10 December 2008 - 02:10 PM

Hi captaininternet,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • We need to see some information about what is happening in your machine. Please perform the following scan:
    • Download DDS by sUBs from one of the following links. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results. Save the result to a notepad text file and click yes to the Optional_Scan
    • Save the scan result and copy and paste both logs to your replay.
    Please note: If the scanner fails to run. Disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

  • Tell me if you have run any other tools and post the logs if you have them.


#4 captaininternet

captaininternet
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 11 December 2008 - 10:16 PM

DDS (Version 1.0.1) - NTFSx86
Run by Default at 19:08:40.44 on Thu 12/11/2008
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_10
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.2004 [GMT -8:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Artificial Dynamics\SafeSpace\LauncherService.exe
C:\Program Files\Artificial Dynamics\SafeSpace\SafeSpace_Agent.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Default.Default-PC\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3070829
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: AS_WAVEHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\defaul~1.def\appdata\roaming\mozilla\firefox\profiles\yikxpvcl.default\
FF - prefs.js: browser.startup.homepage -

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-11-30 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-11-30 39200]
R1 ASWave;ASWave;\??\c:\windows\system32\drivers\ASWave.sys [2008-5-6 326784]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-9-19 111184]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 Artificial Dynamics SafeSpace Agent;Artificial Dynamics SafeSpace Agent;"c:\program files\artificial dynamics\safespace\SafeSpace_Agent.EXE" [2008-5-6 155648]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-9-19 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-9-19 51792]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\TFService.exe service []
R2 Wave Launcher Service;Artificial Dynamics WAVE Launcher Service;"c:\program files\artificial dynamics\safespace\LauncherService.exe" [2008-5-6 274432]
R3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys [2008-11-30 33056]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-4-23 7808]

=============== Created Last 30 ================

2008-12-09 21:08 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-09 21:08 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-09 21:08 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-09 21:08 2,927,104 a------- c:\windows\explorer.exe
2008-12-09 21:07 827,392 a------- c:\windows\system32\wininet.dll
2008-12-09 21:07 1,383,424 a------- c:\windows\system32\mshtml.tlb
2008-12-09 21:07 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-09 21:07 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-09 21:07 94,720 a------- c:\windows\system32\logagent.exe
2008-12-09 19:45 2,048 a------- c:\windows\system32\tzres.dll
2008-12-04 19:17 170,496 a------- c:\windows\system32\tcpipcfg.dll
2008-12-04 19:17 22,528 a------- c:\windows\system32\netiougc.exe
2008-12-04 19:17 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-11-30 19:30 <DIR> --d----- c:\program files\EsetOnlineScanner
2008-11-30 11:54 <DIR> --d----- c:\program files\Vista4Experts
2008-11-30 11:50 <DIR> --d----- c:\program files\AutoRuns
2008-11-30 11:21 <DIR> --d----- c:\users\default.default-pc\.housecall6.6
2008-11-30 09:18 <DIR> --d----- c:\program files\Trend Micro
2008-11-30 09:07 <DIR> --d----- c:\program files\Driver Sweeper
2008-11-30 08:57 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2008-11-30 08:57 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2008-11-30 08:57 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2008-11-30 08:57 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2008-11-30 08:57 <DIR> --d----- c:\programdata\PC Tools
2008-11-30 08:57 <DIR> --d----- c:\program files\ThreatFire
2008-11-30 08:57 <DIR> --d----- c:\progra~2\PC Tools
2008-11-25 19:11 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-11-25 19:11 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2008-11-25 19:11 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2008-11-25 19:11 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2008-11-25 19:11 1,645,568 a------- c:\windows\system32\connect.dll
2008-11-23 15:10 <DIR> --d----- c:\users\defaul~1.def\appdata\roaming\DVDFab
2008-11-22 17:59 <DIR> --d----- c:\program files\iPod
2008-11-22 17:59 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 17:59 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 08:28 409,600 a------- c:\windows\system32\vampd.ax
2008-11-20 18:38 <DIR> --d----- c:\program files\Daniusoft
2008-11-18 19:03 <DIR> --d----- c:\program files\Torrent Harvester
2008-11-17 19:47 516,096 a------- c:\windows\system32\CLVSD.ax
2008-11-17 12:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-11-16 17:45 2,174,976 a------- c:\windows\system32\ffdshow.ax
2008-11-16 17:45 3,049,984 a------- c:\windows\system32\libavcodec.dll
2008-11-16 17:45 516,096 a------- c:\windows\system32\CLVSDS.ax
2008-11-16 17:45 364,544 a------- c:\windows\system32\cdg.dll
2008-11-16 17:45 348,160 a------- c:\windows\system32\cdga.dll
2008-11-16 17:45 114,688 a------- c:\windows\system32\PropListCtrl.ocx
2008-11-16 17:45 14,909 a------- c:\windows\system32\A_reg.reg
2008-11-16 08:02 <DIR> --d----- c:\program files\Cucusoft
2008-11-15 18:06 102,439 a------- c:\windows\system32\sipr3260.dll
2008-11-14 19:59 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-11-14 19:59 83,456 a------- c:\windows\system32\wudriver.dll
2008-11-14 19:59 162,064 a------- c:\windows\system32\wuwebv.dll
2008-11-14 19:59 31,232 a------- c:\windows\system32\wuapp.exe

==================== Find3M ====================

2008-12-11 18:03 348,371 a---h--- c:\windows\system32\drivers\vsconfig.xml
2008-11-26 09:17 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2008-11-18 19:31 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-18 19:31 51,200 a------- c:\windows\inf\infpub.dat
2008-11-18 19:31 86,016 a------- c:\windows\inf\infstor.dat
2008-11-13 15:19 293,776 a------- c:\windows\system32\drivers\vsdatant.sys
2008-11-10 12:23 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2008-10-31 19:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 19:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 19:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 19:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 19:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-30 19:37 72,624 a------- c:\users\defaul~1.def\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-10-28 21:18 410,976 a------- c:\windows\system32\deploytk.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-17 21:09 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2008-09-17 21:09 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2008-09-17 20:56 125,952 a------- c:\windows\system32\wersvc.dll
2008-09-17 20:56 147,456 a------- c:\windows\system32\Faultrep.dll
2008-09-17 18:16 2,032,640 a------- c:\windows\system32\win32k.sys
2008-09-16 20:27 453,152 a------- c:\windows\system32\nvuninst.exe
2008-08-03 05:41 87,608 a------- c:\users\defaul~1.def\appdata\roaming\inst.exe
2008-08-03 05:41 47,360 a------- c:\users\defaul~1.def\appdata\roaming\pcouffin.sys
2008-06-10 11:02 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-03 17:23 0 a------- c:\users\defaul~1.def\appdata\roaming\wklnhst.dat
2008-03-18 18:45 174 a--sh--- c:\program files\desktop.ini
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-12-01 07:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012007120120071202\index.dat
2007-08-28 22:34 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:09:57.13 ===============

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:38 PM

Posted 12 December 2008 - 06:53 AM

Hi again,

Note 1: You forgot to answer my question. Please read all the instructions and carry out all of them in the order they are written or let me know if you face any problem before proceeding.

Note 2: Please copy and paste the logs to your reply instead of attaching them. If the logs are too long and needed to be attached please don't zip the file unless it is required.
  • Now we need to make sure to turn off UAC ( UAC = User Account Control )
    • Click Start, and then click Control Panel.
    • In Control Panel, click User Accounts.
    • In the User Accounts window, click User Accounts.
    • In the User Accounts tasks window, click Turn User Account Control on or off.
    • If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
    • Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK. If it is already uncheck, then you should also notice a red shield with an X in it located in your system tray. Ignore any messages about UAC being disabled.
    • Click Restart Now to apply the change right away. (Restart even if you did not make the above change, we need to be sure that a reboot has occurred since the first time that UAC was disabled.)
    NOTE: DO NOT CONTINUE UNTIL UAC has been disabled and you have rebooted.

  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Go to Start > Control Panel > Security Center > Windows Defender, at the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
    • Exit the program.
    Note:When everything is done and your log is clean again, you can enable it again.

  • Make sure the ThreatFire is not running as long as we are not done with all the fixes and the system is not cleaned. To do that:
    • Right-click on the system tray icon to disable/ shot down/ close the program.
    • Go to Start > Run, type services.msc and hit Enter.
    • In the right panel under Name tab find ThreatFire.
    • Double-click on the service and set the Startup type to Disable.
    • Under Service status click Stop.
    • Click Apply and OK.
  • You seems to have uninstalled a previous Symantec product. If this is the case to remove the leftovers:

    Please download and run the Norton Removal Tool.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked). Then click run cleaner.

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.
Please copy/paste in your next reply:
  • The log of MBAM.
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#6 captaininternet

captaininternet
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 12 December 2008 - 10:52 AM

Thanks for the help so far, farbar. I will be sure to follow your instructions more closely in the future. I was following the DDS instructions, rather than yours. I had no issues with my AV running any of this. Also, DDS comes up as 'suspicious file' on virustotal, but I ran it anyway. On a side note, I HATE Symantec. Their software is almost as bad as a virus. I (swear) I never installed it because of past experiences, and yet, here it is again. I will follow your next set of instructions this weekend, hopefully.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:38 PM

Posted 12 December 2008 - 11:10 AM

You are welcome captaininternet !

No problem. Take your time and post the logs when they are ready.

#8 captaininternet

captaininternet
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 13 December 2008 - 11:18 AM

Posted Image

When I follow steps in #2, this is where I end up, without the option to: uncheck "use Windows Defender" and then Save. Can I just disable it by removing it from my startup items with CCleaner or MSConfig?

Also, in order to use the Norton removal tool, I need to know which product I have. Seeing as I don't remember installing it, this poses an issue. Should I use the shotgun approach and just run all their removal tools?

UAC was disabled the day my computer came out of the box.

Edited by captaininternet, 13 December 2008 - 11:21 AM.


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:38 PM

Posted 14 December 2008 - 05:48 AM

Hi,

My bad. The instruction was not up to date:

Click on Tools then Options.
At the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
Click Close.

Norton has just one and the same removal tool for all the versions. So it doesn't matter what you download.

#10 captaininternet

captaininternet
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 14 December 2008 - 10:53 AM

Everything went well. ThreatFire was a huge pain to disable. I think I got it turned off completely. Nothing seemed to indicate any virus. VirusTotal had 12 hits for a virus for Combo Fix, as expected.




Malwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 6.0.6001 Service Pack 1

12/14/2008 7:21:31 AM
mbam-log-2008-12-14 (07-21-31).txt

Scan type: Quick Scan
Objects scanned: 47033
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--- end of MBAM log

ComboFix 08-12-13.03 - Default 2008-12-14 7:33:26.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.2240 [GMT -8:00]
Running from: c:\users\Default.Default-PC\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - Windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-14 07:17 . 2008-12-14 07:17 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-14 07:17 . 2008-12-14 07:17 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-14 07:17 . 2008-12-14 07:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 07:17 . 2008-12-03 19:54 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-14 07:17 . 2008-12-03 19:54 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-14 07:00 . 2008-12-14 07:00 <DIR> d-------- c:\users\All Users\NortonInstaller
2008-12-14 07:00 . 2008-12-14 07:00 <DIR> d-------- c:\programdata\NortonInstaller
2008-12-09 21:08 . 2008-10-31 17:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-09 21:08 . 2008-10-28 22:29 2,927,104 --a------ c:\windows\explorer.exe
2008-12-09 21:08 . 2008-10-20 21:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-09 21:08 . 2008-10-31 19:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-09 21:07 . 2008-06-22 17:59 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-09 21:07 . 2008-10-15 18:23 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-09 21:07 . 2008-06-22 17:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-09 21:07 . 2008-10-15 20:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-09 21:07 . 2008-06-22 17:58 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-09 19:45 . 2008-10-21 17:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-04 19:17 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\System32\zpeng25.dll
2008-12-04 19:17 . 2008-02-22 20:38 170,496 --a------ c:\windows\System32\tcpipcfg.dll
2008-12-04 19:17 . 2008-02-22 18:41 22,528 --a------ c:\windows\System32\netiougc.exe
2008-11-30 19:30 . 2008-11-30 20:33 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-11-30 11:54 . 2008-11-30 11:55 <DIR> d-------- c:\program files\Vista4Experts
2008-11-30 11:50 . 2008-11-30 11:53 <DIR> d-------- c:\program files\AutoRuns
2008-11-30 11:21 . 2008-11-30 12:39 <DIR> d-------- c:\users\Default.Default-PC\.housecall6.6
2008-11-30 09:18 . 2008-11-30 11:58 <DIR> d-------- c:\program files\Trend Micro
2008-11-30 09:14 . 2008-11-30 09:17 <DIR> d-------- c:\windows\BDOSCAN8
2008-11-30 09:07 . 2008-11-30 09:11 <DIR> d-------- c:\program files\Driver Sweeper
2008-11-30 08:57 . 2008-11-30 08:57 <DIR> d-------- c:\users\All Users\PC Tools
2008-11-30 08:57 . 2008-11-30 08:57 <DIR> d-------- c:\programdata\PC Tools
2008-11-30 08:57 . 2008-11-30 09:07 <DIR> d-------- c:\program files\ThreatFire
2008-11-30 08:57 . 2008-11-17 13:05 51,488 --a------ c:\windows\System32\drivers\TfFsMon.sys
2008-11-30 08:57 . 2008-11-17 13:05 39,200 --a------ c:\windows\System32\drivers\TfSysMon.sys
2008-11-30 08:57 . 2008-11-17 13:05 33,056 --a------ c:\windows\System32\drivers\TfNetMon.sys
2008-11-30 08:57 . 2008-11-17 13:05 12,576 --a------ c:\windows\System32\drivers\TfKbMon.sys
2008-11-25 19:11 . 2008-10-20 21:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 19:11 . 2008-08-27 19:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 19:11 . 2008-08-27 19:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 19:11 . 2008-08-27 19:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 19:11 . 2008-10-21 19:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-22 17:59 . 2008-11-22 18:00 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 17:59 . 2008-11-22 18:00 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 17:59 . 2008-11-22 17:59 <DIR> d-------- c:\program files\iPod
2008-11-22 17:40 . 2008-11-22 17:41 <DIR> d-------- c:\program files\QuickTime
2008-11-22 08:28 . 2006-09-11 04:13 409,600 --a------ c:\windows\System32\vampd.ax
2008-11-20 18:38 . 2008-11-20 18:38 <DIR> d-------- c:\program files\Daniusoft
2008-11-18 19:03 . 2008-11-18 19:03 <DIR> d-------- c:\program files\Torrent Harvester
2008-11-17 19:47 . 2004-01-16 15:50 516,096 --a------ c:\windows\System32\CLVSD.ax
2008-11-17 12:04 . 2008-11-17 12:04 2,306,113 --a------ c:\windows\System32\GPhotos.scr
2008-11-16 17:45 . 2007-03-25 00:51 3,049,984 --a------ c:\windows\System32\libavcodec.dll
2008-11-16 17:45 . 2007-03-25 21:40 2,174,976 --a------ c:\windows\System32\ffdshow.ax
2008-11-16 17:45 . 2004-01-16 15:50 516,096 --a------ c:\windows\System32\CLVSDS.ax
2008-11-16 17:45 . 2008-02-03 21:26 364,544 --a------ c:\windows\System32\cdg.dll
2008-11-16 17:45 . 2006-09-27 17:46 348,160 --a------ c:\windows\System32\cdga.dll
2008-11-16 17:45 . 2006-07-08 04:07 114,688 --a------ c:\windows\System32\PropListCtrl.ocx
2008-11-16 17:45 . 2006-07-17 21:42 14,909 --a------ c:\windows\System32\A_reg.reg
2008-11-16 08:02 . 2008-11-16 08:02 <DIR> d-------- c:\program files\Cucusoft
2008-11-15 18:06 . 2002-12-10 02:20 102,439 --a------ c:\windows\System32\sipr3260.dll
2008-11-14 19:59 . 2008-10-16 13:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-14 19:59 . 2008-10-16 12:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-14 19:59 . 2008-10-16 13:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-14 19:59 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-14 19:59 . 2008-10-16 12:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-14 19:59 . 2008-10-16 13:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-14 19:59 . 2008-10-16 13:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-14 19:59 . 2008-10-16 13:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-14 19:59 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 15:29 348,371 ---ha-w c:\windows\system32\drivers\vsconfig.xml
2008-12-14 15:15 --------- d---a-w c:\programdata\TEMP
2008-12-13 16:24 --------- d-----w c:\program files\BAE
2008-12-11 01:20 --------- d-----w c:\program files\Windows Mail
2008-12-04 04:19 --------- d-----w c:\program files\BonkEnc
2008-12-03 02:59 --------- d-----w c:\program files\DVDFab 5
2008-11-26 17:17 51,792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2008-11-23 16:59 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-23 16:47 --------- d-----w c:\program files\Mp3tag
2008-11-23 02:00 --------- d-----w c:\program files\iTunes
2008-11-23 01:59 --------- d-----w c:\program files\Common Files\Apple
2008-11-19 03:31 --------- d-----w c:\program files\Zune
2008-11-16 02:35 --------- d-----w c:\programdata\DVD Shrink
2008-11-13 23:19 293,776 ----a-w c:\windows\system32\drivers\vsdatant.sys
2008-11-12 02:43 --------- d-----w c:\program files\MSXML 4.0
2008-11-10 20:23 243,840 ----a-w c:\windows\System32\ZuneWlanCfgSvc.exe
2008-11-10 20:09 73,728 ----a-w c:\windows\System32\ZuneUsbTransport.dll
2008-11-10 20:09 57,344 ----a-w c:\windows\System32\ZuneRegUtil.dll
2008-11-10 20:09 310,272 ----a-w c:\windows\System32\ZuneNetProxy.dll
2008-11-10 20:09 18,944 ----a-w c:\windows\System32\ZuneTcp2Udp.dll
2008-11-10 20:09 145,920 ----a-w c:\windows\System32\ZuneMTPZ.dll
2008-11-10 20:09 12,800 ----a-w c:\windows\System32\ZunePTDNS.dll
2008-11-09 16:44 --------- d-----w c:\program files\doubleTwist
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-29 05:18 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-10-29 05:17 --------- d-----w c:\program files\Java
2008-10-24 02:27 --------- d-----w c:\program files\Google
2008-10-19 20:58 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-10-19 18:42 --------- d-----w c:\programdata\NVIDIA
2008-10-19 18:32 --------- d-----w c:\programdata\iTunesFolderWatch
2008-10-19 18:15 --------- d-----w c:\program files\VistaCodecPack
2008-10-19 18:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-19 18:09 --------- d-----w c:\program files\SpeedFan
2008-10-19 17:57 --------- d-----w c:\program files\F-Secure Blacklight
2008-10-16 01:29 34,216,748 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_10_15_18_29_06_full.dmp.zip
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-17 04:27 453,152 ----a-w c:\windows\System32\nvuninst.exe
2008-03-19 02:45 174 --sha-w c:\program files\desktop.ini
2007-12-01 15:39 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120120071202\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Wave Tag]
@="{B19BA1A8-02E5-4283-9DEF-C7DC97E570B7}"
[HKEY_CLASSES_ROOT\CLSID\{B19BA1A8-02E5-4283-9DEF-C7DC97E570B7}]
2008-05-06 10:47 303104 --a------ c:\program files\Artificial Dynamics\SafeSpace\WaveShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AS_WAVEHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire]
--a------ 2008-11-17 13:04 263456 c:\program files\ThreatFire\TFTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-11-13 15:18 981904 c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3176529758-1266479083-2176424135-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BC866A60-6481-4A36-9BFF-2A5DC29BD1B9}"= UDP:c:\program files\RapidSolution\Tunebite\TunebiteHelper.exe:TunebiteHelper
"{E95AD97F-141E-4F9D-BAFC-57BA541ABFB8}"= TCP:c:\program files\RapidSolution\Tunebite\TunebiteHelper.exe:TunebiteHelper
"{EE2AF9A0-AA99-420A-995C-3A297295FDA1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{46BDBE94-142E-4E2C-B81F-6FC03AA1FC04}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E5294ECA-1B91-4B17-B552-AA1BCDECFD56}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{3FD6A753-7FBA-4BBD-873B-74A9A01C5A1D}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{6B88A56D-A820-4275-A6FA-8F91DE9D5783}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F92595D5-978C-458E-AC1E-D733D8190FEE}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{C9D8C414-3890-4ED9-A219-6DB7F8FCE770}"= UDP:c:\temp\Backup\utorrent 1.8.exe:µTorrent (TCP-In)
"{E0003218-54CA-4B35-A099-759FDDDDF2E0}"= TCP:c:\temp\Backup\utorrent 1.8.exe:µTorrent (UDP-In)
"{AFC4BB62-8B6C-48CE-9D11-093193595FB5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{5634DD41-0779-4388-82A0-D250A0BCFC42}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{A45C5047-D0F2-462C-A9A5-566B3CF06E4F}"= UDP:c:\program files\uTorrent\utorrent 1.8.exe:µTorrent (TCP-In)
"{11974DB3-9FB4-4027-B884-CA86255B2EB7}"= TCP:c:\program files\uTorrent\utorrent 1.8.exe:µTorrent (UDP-In)
"{3C520D6D-5BDF-4E38-8BC0-86F2C2D5A23E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9A358B80-43A5-4E61-920D-B71F7F14FB75}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{60332AB2-8332-4F5A-BD5C-FB5710235301}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{09312D4A-747B-4420-8156-0D51981418ED}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-11-30 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-11-30 39200]
R1 ASWave;ASWave;\??\c:\windows\system32\drivers\ASWave.sys [2008-05-06 326784]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-09-19 111184]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
R2 Artificial Dynamics SafeSpace Agent;Artificial Dynamics SafeSpace Agent;"c:\program files\Artificial Dynamics\SafeSpace\SafeSpace_Agent.EXE" [2008-05-06 155648]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-09-19 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-09-19 51792]
R2 Wave Launcher Service;Artificial Dynamics WAVE Launcher Service;"c:\program files\Artificial Dynamics\SafeSpace\LauncherService.exe" [2008-05-06 274432]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-04-23 7808]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys [2008-11-30 33056]
S4 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c1ecc3e-6323-11dc-86b2-001aa08bfcf5}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-09-17 15:35]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 07:37:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-14 7:42:34
ComboFix-quarantined-files.txt 2008-12-14 15:42:32

Pre-Run: 276,226,117,632 bytes free
Post-Run: 274,735,161,344 bytes free

226 --- E O F --- 2008-12-11 01:38:15

---=== End of Combo fix log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:29 AM, on 12/14/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Artificial Dynamics\SafeSpace\LauncherService.exe
C:\Program Files\Artificial Dynamics\SafeSpace\SafeSpace_Agent.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: AS_WAVEHook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Artificial Dynamics SafeSpace Agent - Unknown owner - C:\Program Files\Artificial Dynamics\SafeSpace\SafeSpace_Agent.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: Artificial Dynamics WAVE Launcher Service (Wave Launcher Service) - Artificial Dynamics Ltd. - C:\Program Files\Artificial Dynamics\SafeSpace\LauncherService.exe

--
End of file - 7335 bytes

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:38 PM

Posted 14 December 2008 - 12:02 PM

Thanks for feedback. ThreatFire is still running but it doesn't matter.

VirusTotal had 12 hits for a virus for Combo Fix, as expected.


Yes, it's funny in the top Antivirus support forums they recommend running Combofix a lot. But one of the applications used by Combofix (Nircmd) is detected as a risk tool.

Nothing seemed to indicate any virus:


Except this:

ADS - Windows: deleted 24 bytes in 1 streams.


But I see no other suspicious things on the logs. You already run many tools and scanners as F-Secure Blacklight, Trend Micro housecall and BitDefender online scanner.

So the problem doesn't seem malware related. I'm afraid you have to seek help at a general technical/application related forum. There you can get feedback from various people.

You may re-enable Windows Defender and UAC.

Please let me if you have any question before closing the topic.

#12 captaininternet

captaininternet
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 15 December 2008 - 08:57 PM

Well, it's nice to have a clean bill of health. Oddly, I reinstalled the software and it works fine now. But that was only one reason I suspected a virus. I've been having connectivity problems and I know I had a virus earlier this year (rhost.exe.) I was fearful it wasn't fully removed.

All's well that ends well. I appreciate your assistance and guidance.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:38 PM

Posted 15 December 2008 - 09:04 PM

Glad I could help.

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.

This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users